Firewall Wizards mailing list archives
Re: Securing a Linux Firewall
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Thu, 01 Aug 2002 18:44:06 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Carson Gaspar writes:
There's an analogous situation in administering machines over a network---if you don't own the biggest pipe with the lowest latency between you and your machines, eventually you're going to find yourself unable to talk to them.
Only if your attackers have access to you management pipe. Which should not be the case in a very robust network. Out-of-band management is a must.
This is my point, yes.
It is cost prohibitive to have trained security staff at every physical location, given a large multinational organization.
Perhaps this is just me being confused again, but I thought we were talking about the viability of getting a CD into a box for booting off read-only media/obtaining debugging tools for use with one of our hotly-contested minimally installed OSes/that sort of thing. That's the kind of detail a firewall-wizard delegates to one of his firewall-tarsiers, never having to leave the steely bowels of his Fortress of Solitude. My point was that if you don't even have that sort of access to your boxen (i.e., if someone has to get into a plane when a box needs to be power cycled), then you've got all sorts of other problems beyond being unable to boot/debug via CD. Including (as per my example) but not limited to physical security.
In my case, CD-ROM drives were yanked because they failed more often than hard drives did, and they hung the SCSI bus when they died, taking out the entire system.
This is a valid point. If this a deciding factor for you, you might consider something like a SCSI switchbox with an external CD drive. I've used this sort of setup when I've had to have old DAT drives connected to boxen with high availability requirements. The DAT drives would go casters-up on a semiregular basis, and spam the bus with SCSI resets when they were quote working unquote. One of those SCSI switches that allows you to connect and disconnect external devices without bouncing the boxen really helps. - -spb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE9SeKWG3kIaxeRZl8RAuGUAJ49hhcvnm5zAD2aOr4O1jSvFtpKCQCfbhOG vW6ntTVEDUQ5S0UWwUVEvRU= =2slW -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 02)
- Re: Securing a Linux Firewall Michael A. Williams (Aug 03)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 06)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- <Possible follow-ups>
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- RE: Securing a Linux Firewall Litscher, Mark (Aug 06)