Re: Linux Firewall on CD

["Marcus J. Ranum" <mjr () ranum com>]

Paul Robertson wrote:
> Usually, CD bootable systems use 
> a RAM Disk- so an attacker can easily keep things in memory, and the only 
> thing you really gain is disinfection with a reboot- however you're still 
> vulnerable to the original attack, so the gain from running off a CD is 
> pretty negligable from a security perspective.

Depends on how it's done, really. The CD bootable systems I used
to build chrooted off the RAM disk onto the CD image, so there was
no RAM disk to mess with, and there weren't any device nodes except
for the bare minimum since the device nodes needed to mount the
CD and hard disk were back in the RAM disk behind the chroot. If you
mount the hard disk noexec, and the CD image isn't writeable, it's
pretty hard to screw around with the system. Of course, one can
always conjure up a scenario involving an infinitely clever attacker
exploiting an infinite number of design flaws so in theory no firewall
will ever be secure.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards