Re: Securing a Linux Firewall

[Carson Gaspar <carson () taltos org>]

--On Tuesday, July 30, 2002 5:02 PM -0700 "Stephen P. Berry" 
<spb () meshuggeneh net> wrote:

> There's an analogous situation in administering machines over a
> network---if you don't own the biggest pipe with the lowest latency
> between you and your machines, eventually you're going to find yourself
> unable to talk to them.

Only if your attackers have access to you management pipe. Which should not 
be the case in a very robust network. Out-of-band management is a must.

> At any rate, longer or more difficult physical access paths mean longer
> response times.  This in turn means that an evildoer can accomplish more
> before you can react, and they have a better chance of being able to
> cover their tracks (figuratively or literally).  If you're a plane ride
> away from a box, not only does the evildoer have the time to slap a
> CD drive in it and boot off removable media---they have time to show
> up, discover the machine doesn't have a drive, head over to the
> nearest parts store, buy a CD drive, fill out the registration card, get
> the mail-in rebate, then return to compromise your box...and still get
> out before you're through security at the airport.

It is cost prohibitive to have trained security staff at every physical 
location, given a large multinational organization.

> In any case, if you're pulling the CD drive as a preventative measure, 
you're
> already assuming the evildoer is familiar with the OS and hardware and
> has boot media with them.  I agree that there are many evildoers who 
don't fit

In my case, CD-ROM drives were yanked because they failed more often than 
hard drives did, and they hung the SCSI bus when they died, taking out the 
entire system.

--
Carson


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards