- Integrated Systems
- About Us
- Integrated Systems
- About Us
02-16-2005 01:20 PM
I am writing some security document. I need to put some recommendation about the software selection during the OS installation.
At this moment, the following components are recommended not to install.
- CIFS related components including server and client
- Apache - if the server is not a web server
- NFS related components including server and client
- XML Web server tools
- Webmin based admin
- Ximian GNOME
Is there anything that I missed here. This document based on HP-UX 11.23 and 11.11
Solved! Go to Solution.
02-16-2005 01:31 PMSolution
CDE / X - having a history of security issues, so You could leave them out in case no graphical logins are needed. (And for such cases, there are still other solutions)
VxVm administrator - at least on Tru64 (LSM there) it listens on the network for some funky Java GUI.
02-16-2005 03:38 PM
I don't remember how isolated those filesets are. Other candidates: kermit, telnet, ftp, r-services.
Sorry I can't remember fileset names and the like.
02-16-2005 03:53 PM
security? Could you explain why?
Don;t you think it would be easier to install IPFilter and
and allow only those incoming/outgoing traffic that you
want to allow and block everything else (and log all
suspicious connection attempts)? I can understand
that you don't want to install anything that is not
needed on the system, but IPFilter would add another
line of defence to your systems.
02-17-2005 01:50 AM
They provide various documents containing "Benchmark" security recommendations for various OS flavours, including HP-UX.
02-17-2005 02:15 AM
02-17-2005 04:20 AM
it will desc all unsec software and way to exclude from install.
Install Bastion host
02-17-2005 04:35 AM
Only install it if you need it. It is very useful if you want to share files on the HP box with windows users or vice versa. Otherwise its pretty much wasted hard disk space. It does not as far as I know represent a security hazard.
NFS - Data goes back and forth in clear text. This is a security hazard. If you don't need NFS, don't use it. You must however leave it installed. I monkeyed around with removing it once and did serious damage to an old box I was using for the experiement. I ended up having to do an Ignite restore.
Apache - significant issues. Right now I have a seemingly pointless port 80 abuse on my Linux Apache server and its driving me crazy, since I'm 7,000 miles from the box and must tread lightly.
Tomcat: If the box is not a web server tomcat provides no functionality.
Webmin based admin. I think for this you need apache running. There are no security hazards in this product that I know of, and its actually quite useful.
XML - No web server, no need for these.
Mozilla - Very useful, pretty secure. I use it to get patches so there is zero chance of me ruining the depot by forgetting to ftp the thing right from my pc. Also, the ftp step transmits passwords in clear text. Bad idea.
Ximian GNOME - Dead product, no support any more. Decided not to go to Gnome. Their port was nice, but old. It was patched a lot and there may have been security hazards.
Java - Oracle needs it. Mozilla needs it. I'd think about changing my mind.
IPfilter - No security hazards. Easy to use, can be helpful in improving security. I'd reconsider this one unless you trust each and every user BEHIND your firewall. Remember 65% of system attacks come from employees.
General rule on security is: If its not going to be used, don't install it. It can not be abused if it does not exist on the system.
Owner of ISN Corporation
02-17-2005 07:39 PM
thanks for 10 points, but I would really like to know
why would you recommend not installing IPFilter for
better security. I have been working for
Hewlett-Packard's IPFilter team for last few years and
you are the first person I have seen who is
recommending to avoid installing IPFilter and would
really like to know what I'm missing here.