Secure installation and updating

[Stian Øvrevåge]

Hi list, first time reader, first time poster...

To build some practical skills within Unix, Networking and Security, I
have made myself a case study to provide some services for a fictional
corporation. I have some ( very limited ) experience with FreeBSD and
have therefore choosen that as my primary server OS.

I want to assure trustworthyness and integrity along the whole
lifetime of the installations. Including secure installation and
initial updating as well as secure destruction and sanitizing,
something I feel is left out from many security-related discussions.

In security-related questions regarding the whole operation I assume
the worst, that my "trusted" network is already compromised, that
there are remote vuln's to every program I run, that connections I
make to the Internet is not to be relied upon. It's within the latter
my current dilemma is. After reading countless pages on secure
installation I've understood that it is highly recommended to download
the newest kernel and rebuild. I'm not aware of which methods CVSup
uses for authentication and encryption. Assuming that my session with
updating my sources can be sniffed, hijacked, mitm-ed, or substituted
from the beginning, I would have grave problems with trusting my fresh
box. There is also another problem I with this; I want to keep the box
completely shielded from any hostile network, including my own
"trusted". This to minimize exposure to the possible undisclosed
vuln's that might reside within the default installation.

To sum it all up: Is it possible to download the newest source to for
example a USB pen drive ( keywords: ultra-portable and
super-unpredictable ), and transfer this to my isolated box, and hence
updating without exposure?

Regards,
Stian