Firewall Wizards mailing list archives
Re: Securing a Linux Firewall
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Tue, 30 Jul 2002 17:02:38 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gwendolynn ferch Elydyr writes:
I think you're a tad confused here ;> It's not a matter of not being able to get physical access to the boxes - it's a matter of being able to easily access said boxes.
While I -am- easily confused, I don't think that's a factor here. Not being able to access your boxen `easily' is functionally the same (for purposes of this discussion) as not being able to reach them at all. If you aren't the person who can most easily lay hands on your machines, you have problems. There's an analogous situation in administering machines over a network---if you don't own the biggest pipe with the lowest latency between you and your machines, eventually you're going to find yourself unable to talk to them. At any rate, longer or more difficult physical access paths mean longer response times. This in turn means that an evildoer can accomplish more before you can react, and they have a better chance of being able to cover their tracks (figuratively or literally). If you're a plane ride away from a box, not only does the evildoer have the time to slap a CD drive in it and boot off removable media---they have time to show up, discover the machine doesn't have a drive, head over to the nearest parts store, buy a CD drive, fill out the registration card, get the mail-in rebate, then return to compromise your box...and still get out before you're through security at the airport.
I do in fact imagine that there are many evildoers who don't regularly carry around cdroms or hard drives that function correctly in all manner of boxes ;>
Well, I imagine that most of 'em don't carry around a variety of serial cables either, but that doesn't mean I'd leave a root login on the serial console and rely on the cabling problem to function as a security device. In any case, if you're pulling the CD drive as a preventative measure, you're already assuming the evildoer is familiar with the OS and hardware and has boot media with them. I agree that there are many evildoers who don't fit that description. That's not the point. If we're talking about pulling a CD drive, we're positing the existence of a bad guy would -does- have the media and -would- attempt to compromise the box if there was a drive to stick it in, but will be stymied if that drive is not present. Anyway, all you'd need is a SCSI and an IDE drive. If you're interested in booting from Sun's OBP, you'd want to be sure the SCSI drive supports the MODE SELECT command. You'd probably want to take adapters so you could hang the drive off a 50, 68, or SCA connector, but that about covers it. I guess if you're only worried about old 4/690s using IPI drives, you don't have to be too concerned about evildoers wandering around with Seagate Saber 7s slung over their shoulder, but with the exception of a few narrow niches like that, the array of hardware needed to physically compromise the vast majority of systems out there is small enough to fit in a laptop case.
Picking up and carrying the box out seems far more likely to me (but is also much, much more visible, in relative terms).
Well, being visible isn't the same as being caught. During a datacenter move I was part of a couple years ago, I must've pushed a couple millions of dollars' worth of hardware out of an office building and into a moving van. Pushing an Intel Touchstone Sigma---worth over a megabuck at the time---out the door, I had no problem getting people to hold the door for me[0]. Of course, removing a drive and walking out with it would be an easier way for a bad guy to make off with your sensitive data. The fact is, though, that you can't tell if someone owns a box by looking at it. If you -can- look at it, that is, which you can't if you're in an airplane a couple hundred kilometers away. - -spb - ----- 0 Later, when we were collecting all the remaining miscellaneous stuff, I was lugging out a Mac Quadra 700 (running A/UX---yeeeeuch) and got stopped twice by suspicious office workers. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE9RyjHG3kIaxeRZl8RAq56AJ4+jIAXCRpF6hAtmqRQtebdFAK4dQCgu3uh AzdvL7wy4D9nDrOs5YdTGO4= =s00w -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 02)
- Re: Securing a Linux Firewall Michael A. Williams (Aug 03)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 06)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- <Possible follow-ups>
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- RE: Securing a Linux Firewall Litscher, Mark (Aug 06)