Subject: Re: Hardening A sparc kernel
To: None <Julian.Young@nl.compuware.com>
From: Simon J. Gerraty <sjg@crufty.net>
List: port-sparc
Date: 05/07/2002 10:25:58
In lists.netbsd.port-sparc you write:

>I am curiouse to know when hardening A sparc kernel for say a fireway
>application would you leave out things like NFS ?  what about those protoype
>drivers ? 

Yes you leave out NFS, and everything else that you don't absolutley need.

In the big firewall cluster's I've built (using SunOS and Solaris mostly)
the management bastion is left with NFS client support, and all the other
bastions with no NFS code in the kernel.  Then run a user space NFS that
uses SSL as transport and X.509 certs to authenticate connections - and run
it from inetd - no portmaper.  Allows you to run tripwire and the like
on all the bastions etc without needing physical access.

--sjg