[12275] in bugtraq
Re: Gauntlet 5.0 BSDI warning
daemon@ATHENA.MIT.EDU (Keith Young)
Tue Oct 19 15:18:18 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <380B9449.65216C2E@v-one.com>
Date: Mon, 18 Oct 1999 17:42:33 -0400
Reply-To: Keith Young <kyoung@V-ONE.COM>
From: Keith Young <kyoung@V-ONE.COM>
X-To: Strange <strange@cultural.com>,
"BUGTRAQ@SECURITYFOCUS.COM" <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
First, an update. NAI has already released a fix regarding my original
e-mail. You can download it from:
http://www.tis.com/support/patch50.html
Thanks to NAI support for getting a fix out so quickly.
Strange wrote:
>
> According to the folks we asked at NAI in June about the Gauntlet install
> procedure (on all supported OSes), the install order to be used is:
>
> Install OS
> Install OS patches
> Install Gauntlet
> Install Gauntlet patches
> never install any OS patches again
True, but many people install the firewall then the OS vendor releases a
patch.
> Because of that last nasty gotcha, we use a firewall builder box when we
> want to "patch" the firewalls. We then pull the newly-built drives, and
> swap them into the extant firewall box. Lather, rinse, repeat.
You are a stronger person than I... I wouldn't want to have to keep
securing the OS on a box and "reinstalling" the firewall everytime the
OS/firewall vendor releases an important patch... :-)
> Interestingly, this is what the vendor told us to *always* do, under *all*
> circumstances. I'd say that if you're going to apply vendor patches, you
> should assume you have to do a full Gauntlet reinstall because Gauntlet
> 5.0 replaces some key kernel items.
See above....
> I.e., a vendor patch replaced code that the gauntlet had already replaced.
Exactly.
> I am wondering if this is *really* a Gauntlet bug or a Gauntlet vendor
> documentation bug.
Which is why the word "bug" never appeared in the original alert. Had
the M310-049 patch not been required for the kernel patch install, very
few of us would have run into the problem.
> (they do not, as far as we could tell, make it plain that you
> should not apply vendor patches after installing the firewall)
Not exactly true. Look here:
http://www.tis.com/support/bsd31.html
--Keith
-kyoung@v-one.com
