Choosing an OS and distribution There are clearly many candidate operating systems to choose from, both free and nonfree, as well as some commercial firewall appliances. We decided to go open source (cheap) and multifunctional (real operating system). We considered several flavors of Linux and one of BSD.
OpenBSD has the best security reputation of any operating system. However, we were unfamiliar with it; it also has a reputation for being difficult to install. Furthermore, the day-to-day administration of the firewall was to be the responsibility of the client, and the staff there had no experience with BSD either. We decided right away not to go with OpenBSD for those reasons. We intend to play with OpenBSD ourselves before recommending it to our clients. Red Hat was a tempting choice, since the old server already runs it and our client had experience administering it. However, Red Hat is not a security-focused distribution. In addition, Red Hat comes with lots of usability- and desktop-oriented software which would just take up space (and create security holes) on a server. We decided not to go with Red Hat for the firewall. Immunix from Wirex Communications (see Resources for a link) looked like a very promising candidate. The basic distribution is Red Hat 6.2, with all programs compiled by the StackGuard compiler, which protects against most stack-based buffer overruns. It does not prevent heap-based buffer overruns, however, and incurs a 10 percent performance penalty due to the extra checking. Also, it includes all of the excess software that comes with Red Hat. You also have to register before you can download it. But the icing on the cake was that SubDomain and Cryptomark, two security enhancements described on the Immunix Webpage, are "not quite ready for public release" (emphasis in original). In other words, two thirds of the security package is vaporware. We liked the cute name of the Bastille distribution, but quickly found out that it wasn't a distribution at all. Apparently, Bastille is a set of Perl scripts that you run postinstall on your Linux system to beef up security. We want to run it on the server after we install Linux. =========================== After running that gauntlet of half-fixes, we were very pleased to find Trustix. It is small and server-oriented -- it has no GUI, for example. The distribution includes more secure versions of various services, including postfix for mail, and bsd-ftpd instead of wu-ftpd. In fact, Trustix appeared to have no downside. We happily proceeded with the install. =========================== --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
