Re: Securing a Linux Firewall

["Stephen P. Berry" <spb () meshuggeneh net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Gwendolynn ferch Elydyr writes:

> I think you're a tad confused here ;> It's not a matter of not being able
> to get physical access to the boxes - it's a matter of being able to easily
> access said boxes.

While I -am- easily confused, I don't think that's a factor here.  Not
being able to access your boxen `easily' is functionally the same (for
purposes of this discussion) as not being able to reach them at all.
If you aren't the person who can most easily lay hands on your
machines, you have problems.

There's an analogous situation in administering machines over a network---if
you don't own the biggest pipe with the lowest latency between you and your
machines, eventually you're going to find yourself unable to talk to them.

At any rate, longer or more difficult physical access paths mean longer
response times.  This in turn means that an evildoer can accomplish more
before you can react, and they have a better chance of being able to 
cover their tracks (figuratively or literally).  If you're a plane ride
away from a box, not only does the evildoer have the time to slap a
CD drive in it and boot off removable media---they have time to show
up, discover the machine doesn't have a drive, head over to the
nearest parts store, buy a CD drive, fill out the registration card, get
the mail-in rebate, then return to compromise your box...and still get
out before you're through security at the airport.


> I do in fact imagine that there are many evildoers who don't regularly
> carry around cdroms or hard drives that function correctly in all manner
> of boxes ;>

Well, I imagine that most of 'em don't carry around a variety of serial cables
either, but that doesn't mean I'd leave a root login on the serial console and
rely on the cabling problem to function as a security device.

In any case, if you're pulling the CD drive as a preventative measure, you're
already assuming the evildoer is familiar with the OS and hardware and
has boot media with them.  I agree that there are many evildoers who don't fit
that description.  That's not the point.  If we're talking about pulling
a CD drive, we're positing the existence of a bad guy would -does- have the
media and -would- attempt to compromise the box if there was a drive to
stick it in, but will be stymied if that drive is not present.

Anyway, all you'd need is a SCSI and an IDE drive.  If you're interested
in booting from Sun's OBP, you'd want to be sure the SCSI drive supports
the MODE SELECT command.  You'd probably want to take adapters so
you could hang the drive off a 50, 68, or SCA connector, but that about
covers it.

I guess if you're only worried about old 4/690s using IPI drives, you
don't have to be too concerned about evildoers wandering around with
Seagate Saber 7s slung over their shoulder, but with the exception of
a few narrow niches like that, the array of hardware needed to physically
compromise the vast majority of systems out there is small enough to fit in
a laptop case.


> Picking up and carrying the box out seems far more likely to
> me (but is also much, much more visible, in relative terms).

Well, being visible isn't the same as being caught.  During a datacenter
move I was part of a couple years ago, I must've pushed a couple millions
of dollars' worth of hardware out of an office building and into a moving
van.  Pushing an Intel Touchstone Sigma---worth over a megabuck at the
time---out the door, I had no problem getting people to hold the door
for me[0].

Of course, removing a drive and walking out with it would be an easier way
for a bad guy to make off with your sensitive data.  The fact is, though, that
you can't tell if someone owns a box by looking at it.  If you -can- look
at it, that is, which you can't if you're in an airplane a couple hundred
kilometers away.









- -spb

- -----
0       Later, when we were collecting all the remaining miscellaneous stuff,
        I was lugging out a Mac Quadra 700 (running A/UX---yeeeeuch) and got
        stopped twice by suspicious office workers.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9RyjHG3kIaxeRZl8RAq56AJ4+jIAXCRpF6hAtmqRQtebdFAK4dQCgu3uh
AzdvL7wy4D9nDrOs5YdTGO4=
=s00w
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards