Red Hat ES3.0 Security
This is a discussion on Red Hat ES3.0 Security within the Linux Security forums, part of the System Security and Security Related category; Can someone advise if RH ES3.0 is secure enough out of the box to perform ecommerce function without being ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-30-2005
|
|||
|
|||
Re: Red Hat ES3.0 Security
On Wed, 30 Mar 2005 10:26:32 +0000, Chris Mewton wrote:
> Can someone advise if RH ES3.0 is secure enough out of the box to > perform ecommerce function without being behind a seperate firewall? > I guess yes, but have been told no. > regards > Since there have been patches written to ES3; since patches continue to be written; and since the statement implies that no one will be looking for and applying patches; IMO, the answer is NO. 
|
|
03-30-2005
|
|||
|
|||
|
Re: Red Hat ES3.0 Security
HansF <News.Hans@telus.net> wrote in
news:pan.2005.03.30.12.17.35.393535@telus.net: > On Wed, 30 Mar 2005 10:26:32 +0000, Chris Mewton wrote: > >> Can someone advise if RH ES3.0 is secure enough out of the box to >> perform ecommerce function without being behind a seperate firewall? >> I guess yes, but have been told no. >> regards >> > > Since there have been patches written to ES3; since patches continue > to be written; and since the statement implies that no one will be > looking for and applying patches; IMO, the answer is NO. Hi. Other than patching, I think the OP is asking, can he/she assume that the default setup as released by Red Hat is secure without him/her having to go through the different settings and start hardening the security settings. I don't use RedHat, but I assume that at the very least you will have to go through and start looking at the different services running and start disabling what you don't need. -- "Why do they call it rush hour when nothing moves?", Robin Williams
|
|
03-30-2005
|
|||
|
|||
|
Re: Red Hat ES3.0 Security
On Wed, 30 Mar 2005 06:05:42 -0600, Darko Gavrilovic wrote:
> Hi. Other than patching, I think the OP is asking, can he/she assume that > the default setup as released by Red Hat is secure without him/her having > to go through the different settings and start hardening the security > settings. Sorry, that's not the way I read it. But even if proper & regular SysAdmin is involved, security still depends on how the system was installed, what options were selected, etc. While the RHEL3 default is pretty reasonable, I wouldn't put a credit-card handling, billing, or company jewels system on an unhardened OS - of any vintage. I'd suggest also reading thru the WROX press "Professional Red Hat Enterprise Linux 3' Chapter 15 to help make the appropriate install and setup decisions. > I don't use RedHat, but I assume that at the very least you will have to > go through and start looking at the different services running and start > disabling what you don't need. Yup. AND, I'd still recommend walking thru Bob Toxen's book "Real World Linux Security" /Hans
|
|
03-30-2005
|
|||
|
|||
|
Re: Red Hat ES3.0 Security
Chris Mewton wrote:
> Can someone advise if RH ES3.0 is secure enough out of the box to > perform ecommerce function without being behind a seperate firewall? > I guess yes, but have been told no. > regards > > Chris Security isn't as simplistic as you want it to be. The simple answer is no, RHEL 3 has had many patches issued since it was first released. What exactly would you be planning to do with your machine?
|
|
04-07-2005
|
|||
|
|||
|
Re: Red Hat ES3.0 Security
Many thanks for that informed discussion, and for the recommended
reading. My experience with redhat has remained in local networks and so haven't had to get too involvolved with security. My understandng of situation was that the OS would be patched to death by the hosting company - Rackspace, but they recommended the use of a hardware firewall which appeared to be prohibitively expensive increasing the cost by nearly 50 percent. An option existed to run without firewall but that would leave the burden of responisbility on my narrow and feeble shoulders. So I wanted to get the facts. Fact is I'll do some more reading, and in the mean time book space on a secured server. thanks again for your input and that of Darko. Regards Chris HansF wrote: > On Wed, 30 Mar 2005 06:05:42 -0600, Darko Gavrilovic wrote: > > > >>Hi. Other than patching, I think the OP is asking, can he/she assume that >>the default setup as released by Red Hat is secure without him/her having >>to go through the different settings and start hardening the security >>settings. > > > Sorry, that's not the way I read it. But even if proper & regular > SysAdmin is involved, security still depends on how the system was > installed, what options were selected, etc. > > While the RHEL3 default is pretty reasonable, I wouldn't put a credit-card > handling, billing, or company jewels system on an unhardened OS - of any > vintage. I'd suggest also reading thru the WROX press "Professional Red > Hat Enterprise Linux 3' Chapter 15 to help make the appropriate install > and setup decisions. > > >>I don't use RedHat, but I assume that at the very least you will have to >>go through and start looking at the different services running and start >>disabling what you don't need. > > > Yup. AND, I'd still recommend walking thru Bob Toxen's book "Real World > Linux Security" > > /Hans
|
Linear Mode
