Date: Sun, 14 Jul 1996 21:29:11 +0200 (MET DST) From: Wilko Bulte <wilko@yedi.iaf.nl> To: FreeBSD-hackers@freebsd.org (FreeBSD hackers list) Subject: the translated press article on FreeBSD Message-ID: <199607141929.VAA14840@yedi.iaf.nl>
next in thread | raw e-mail | index | archive | help
Hi there By popular demand I translated the relevant parts of the 'Firewalls' article. If you have any remarks on the content of the article please send email to the authors (address attached at the bottom). It the translation is obscure, please tell me... ------ BEGIN ------ Translated from "Computable, issue July 12, 1996" Excerpt from a 2 part article on Internet firewalls. This is taken from part 2, 'Protection against invaders attacking via networks, part 2. "Proxy server": security first Subheading: Custom designed firewalls The custom designed firewall does not start from a specific product. Instead, it uses freely available softwarecomponents to built a bastion-host. This solution allows access to the source code of the complete system, making it independent of a hardware or software supplier. Consultancy firms offer the possibility to design, implement and configure the firewall according to customer specs. The customer now also has the opportunity to hire an independent second consultant to check on the designed system. The custom firewall is in all cases best based on a proxy-server solution, with a preferably a dual-homed bastion host. The bastion host hardware and it's operating system can be freely selected. For the bastion host one should preferably select an operating system based on 4.4BSD Unix. A good choice is the FreeBSD operating system, which is completely free and comes with full source code. The networking code of FreeBSD is based on Net/3 of 4.4BSD and is regarded as very stable. In addition FreeBSD has builtin IP packetfilter software and allows read-only files to be unchangable even for super-users. This is an additional barrier if a cracker ever compromises the machine's security. FreeBSD is made available in controlled releases by a core team of developers. This means the complete operating system is always available as a stable 'set' of software. The standard 4.4BSD documentation set is applicable to FreeBSD (user's guide, system management manual, developers manual). The documentation is available from book shops. FreeBSD runs on the Intel platform (486/Pentium/PentiumPro). A 486/33 has enough performance to handle a 2 mbits/s line. A Pentium/133 system is capable of handling a complete Ethernet (10 Mb/s). Because of the availability of the kernel sources it possible to remove unsafe TCP/IP features completely from the kernel (especially: icmp redirect, IP forwarding, and IP source routing). In addition it is possible to add logging functionality to the kernel (especially logging of UDP and TCP requests to ports without a server process running). An alternative for the Intel/FreeBSD combination is the more commercial version of 4.4.BSD: BSDi This version is available without source code at a very low price. A supplementary source license is available at extra cost. Another alternative is the choice of a commercial Unix variant like Solaris, SunOS, HP-UX, AIX etc. Of these versions source code is definitely unavailable, making a 'fortified kernel' impossible. By the way: to use the freely available firewall code (supplied in source form) a C compiler is required. Article written by: Frank W. ten Wolde, MSc and Jean-Paul van der Jagt, Bsc. Both work as Unix consultants at Pinewood Automation Inc, in Delft, The Netherlands. Email: hans@pinewood.nl ------ END ------ Wilko _ ____________________________________________________________________ | / o / / _ Wilko Bulte email: wilko@yedi.iaf.nl |/|/ / / /( (_) Private FreeBSD site - Arnhem - The Netherlands --------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607141929.VAA14840>