Firewall Wizards mailing list archives
Re: Securing a Linux Firewall
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Thu, 25 Jul 2002 14:04:35 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gwendolynn ferch Elydyr writes:
While this is definately a viable solution when you have easy physical access to the machine in question, it degrades badly when you're handling remote machines (where remote could be accross the city, country, or world).
If you can't get physical access to your machines, then you don't know who can. If you land a couple boxen on the surface of Mars but can't get to Mars yourself, then you can bet your sweet euphamism that every Martian hacker that side of Olympus Mons is gangprobing your machines. Correlary: If you can't get physical access to your own boxen, you've already got other problems. Upgrade paths should always be under a couple kilometers.
Beyond that, it's not always safe to assume that a box will have a cdrom drive. If I'm looking to make it harder for someone with physical access to modify my box inappropriately, I'll build it via the network, or remove the cdrom after build...
This is what Kerckhoff called (in another context) an illusory complication. Do you really imagine that there are that many evildoers who -would- get physical access to a machine and boot off media but -wouldn't- slap a CD drive into the box, bring a spare hard drive to boot off of, or just walk off with the whole box (or the physical media in it)? Don't get me wrong---all other things being equal (which they never are), I'll doing any little thing I can think of to make things difficult for the adversary. But there's a difference between low-level annoyance measures and things which constitute actual preventative measures. Not having a CD drive in a box is of the former sort. - -spb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE9QGe9G3kIaxeRZl8RAg8DAKCr0mNqqnwugnRb2ZKjbg1n4wKRHwCgxYr+ aMb7rw8bqrAXuuPhn9Ijcfw= =z8vJ -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Securing a Linux Firewall, (continued)
- Re: Securing a Linux Firewall Marcus J. Ranum (Jul 23)
- Re: Securing a Linux Firewall Marcus J. Ranum (Jul 23)
- Re: Securing a Linux Firewall Brian Hatch (Jul 23)
- Re: Securing a Linux Firewall Carson Gaspar (Jul 24)
- Re: Securing a Linux Firewall BORBELY Zoltan (Jul 24)
- RE: Securing a Linux Firewall Bill Royds (Jul 24)
- Re: Securing a Linux Firewall Kyle R. Hofmann (Jul 24)
- Re: Securing a Linux Firewall Stephen P. Berry (Jul 26)
- Re: Securing a Linux Firewall R. DuFresne (Jul 26)
- Re: Securing a Linux Firewall Gwendolynn ferch Elydyr (Jul 24)
- Re: Securing a Linux Firewall Stephen P. Berry (Jul 25)
- Re: Securing a Linux Firewall Gwendolynn ferch Elydyr (Jul 25)
- RE: Securing a Linux Firewall David Lang (Jul 24)