Date: Mon, 7 Mar 2005 15:04:18 +0100 From: =?ISO-8859-1?Q?Stian_=D8vrev=E5ge?= <sovrevage@gmail.com> To: freebsd-newbies@freebsd.org Subject: Secure installation and updating Message-ID: <bf68260705030706044f1247ba@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi list, first time reader, first time poster... To build some practical skills within Unix, Networking and Security, I have made myself a case study to provide some services for a fictional corporation. I have some ( very limited ) experience with FreeBSD and have therefore choosen that as my primary server OS. I want to assure trustworthyness and integrity along the whole lifetime of the installations. Including secure installation and initial updating as well as secure destruction and sanitizing, something I feel is left out from many security-related discussions. In security-related questions regarding the whole operation I assume the worst, that my "trusted" network is already compromised, that there are remote vuln's to every program I run, that connections I make to the Internet is not to be relied upon. It's within the latter my current dilemma is. After reading countless pages on secure installation I've understood that it is highly recommended to download the newest kernel and rebuild. I'm not aware of which methods CVSup uses for authentication and encryption. Assuming that my session with updating my sources can be sniffed, hijacked, mitm-ed, or substituted from the beginning, I would have grave problems with trusting my fresh box. There is also another problem I with this; I want to keep the box completely shielded from any hostile network, including my own "trusted". This to minimize exposure to the possible undisclosed vuln's that might reside within the default installation. To sum it all up: Is it possible to download the newest source to for example a USB pen drive ( keywords: ultra-portable and super-unpredictable ), and transfer this to my isolated box, and hence updating without exposure? Regards, Stian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bf68260705030706044f1247ba>