From owner-freebsd-newbies@FreeBSD.ORG Mon Mar 7 14:04:20 2005 Return-Path: Delivered-To: freebsd-newbies@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47CDA16A4CF for ; Mon, 7 Mar 2005 14:04:20 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id D060143D55 for ; Mon, 7 Mar 2005 14:04:19 +0000 (GMT) (envelope-from sovrevage@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1182270wri for ; Mon, 07 Mar 2005 06:04:19 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=DEKdR6t4nqWb13ykeXTevv3l/EL6njzCvgLXvCu3e69T15JdH+iKvYuzBsKHKWJeHyT4HE9ob4oUskbqJHJWimCmorq7TWZX46iP5zHvdVhvsBPE2eFH7zZMop7wUTQ2yR3OYZG3PpQGD07cOcFlgL4AajCrz1B9lcBdQ1slOWg= Received: by 10.54.83.7 with SMTP id g7mr58197wrb; Mon, 07 Mar 2005 06:04:18 -0800 (PST) Received: by 10.54.21.47 with HTTP; Mon, 7 Mar 2005 06:04:18 -0800 (PST) Message-ID: Date: Mon, 7 Mar 2005 15:04:18 +0100 From: =?ISO-8859-1?Q?Stian_=D8vrev=E5ge?= To: freebsd-newbies@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Secure installation and updating X-BeenThere: freebsd-newbies@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: =?ISO-8859-1?Q?Stian_=D8vrev=E5ge?= List-Id: Gathering place for new users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2005 14:04:20 -0000 Hi list, first time reader, first time poster... To build some practical skills within Unix, Networking and Security, I have made myself a case study to provide some services for a fictional corporation. I have some ( very limited ) experience with FreeBSD and have therefore choosen that as my primary server OS. I want to assure trustworthyness and integrity along the whole lifetime of the installations. Including secure installation and initial updating as well as secure destruction and sanitizing, something I feel is left out from many security-related discussions. In security-related questions regarding the whole operation I assume the worst, that my "trusted" network is already compromised, that there are remote vuln's to every program I run, that connections I make to the Internet is not to be relied upon. It's within the latter my current dilemma is. After reading countless pages on secure installation I've understood that it is highly recommended to download the newest kernel and rebuild. I'm not aware of which methods CVSup uses for authentication and encryption. Assuming that my session with updating my sources can be sniffed, hijacked, mitm-ed, or substituted from the beginning, I would have grave problems with trusting my fresh box. There is also another problem I with this; I want to keep the box completely shielded from any hostile network, including my own "trusted". This to minimize exposure to the possible undisclosed vuln's that might reside within the default installation. To sum it all up: Is it possible to download the newest source to for example a USB pen drive ( keywords: ultra-portable and super-unpredictable ), and transfer this to my isolated box, and hence updating without exposure? Regards, Stian