Firewall Wizards mailing list archives

Re: Securing a Linux Firewall

From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Thu, 25 Jul 2002 14:04:35 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Gwendolynn ferch Elydyr writes:

While this is definately a viable solution when you have easy physical
access to the machine in question, it degrades badly when you're handling
remote machines (where remote could be accross the city, country, or
world).


If you can't get physical access to your machines, then you don't know
who can.  If you land a couple boxen on the surface of Mars but can't
get to Mars yourself, then you can bet your sweet euphamism that every
Martian hacker that side of Olympus Mons is gangprobing your machines.

Correlary:  If you can't get physical access to your own boxen, you've
already got other problems.  Upgrade paths should always be under
a couple kilometers.

Beyond that, it's not always safe to assume that a box will have a cdrom
drive. If I'm looking to make it harder for someone with physical access
to modify my box inappropriately, I'll build it via the network, or remove
the cdrom after build...


This is what Kerckhoff called (in another context) an illusory complication.
Do you really imagine that there are that many evildoers who -would-
get physical access to a machine and boot off media but -wouldn't- slap
a CD drive into the box, bring a spare hard drive to boot off of, or just
walk off with the whole box (or the physical media in it)?

Don't get me wrong---all other things being equal (which they never are),
I'll doing any little thing I can think of to make things difficult for
the adversary.  But there's a difference between low-level annoyance
measures and things which constitute actual preventative measures.  Not
having a CD drive in a box is of the former sort.






- -spb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9QGe9G3kIaxeRZl8RAg8DAKCr0mNqqnwugnRb2ZKjbg1n4wKRHwCgxYr+
aMb7rw8bqrAXuuPhn9Ijcfw=
=z8vJ
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Securing a Linux Firewall, (continued)
- - - Re: Securing a Linux Firewall Marcus J. Ranum (Jul 23)
    - Re: Securing a Linux Firewall Marcus J. Ranum (Jul 23)
    - Re: Securing a Linux Firewall Brian Hatch (Jul 23)
    - Re: Securing a Linux Firewall Carson Gaspar (Jul 24)
    - Re: Securing a Linux Firewall BORBELY Zoltan (Jul 24)
    - RE: Securing a Linux Firewall Bill Royds (Jul 24)
    - Re: Securing a Linux Firewall Kyle R. Hofmann (Jul 24)
    - Re: Securing a Linux Firewall Stephen P. Berry (Jul 26)
    - Re: Securing a Linux Firewall R. DuFresne (Jul 26)
    - Re: Securing a Linux Firewall Gwendolynn ferch Elydyr (Jul 24)
    - Re: Securing a Linux Firewall Stephen P. Berry (Jul 25)
    - Re: Securing a Linux Firewall Gwendolynn ferch Elydyr (Jul 25)
    - RE: Securing a Linux Firewall David Lang (Jul 24)
- RE: Securing a Linux Firewall Bruce Platt (Jul 23)
- RE: Securing a Linux Firewall Roger Marquis (Jul 23)
- Re: Securing a Linux Firewall Marcus J. Ranum (Jul 23)
- RE: Securing a Linux Firewall Ravdal, Stig (Jul 24)