Firewall Wizards mailing list archives

Re: Securing a Linux Firewall

From: Gwendolynn ferch Elydyr <gwen () reptiles org>
Date: Thu, 25 Jul 2002 17:53:47 -0400 (EDT)

On Thu, 25 Jul 2002, Stephen P. Berry wrote:

If you can't get physical access to your machines, then you don't know
who can.  If you land a couple boxen on the surface of Mars but can't
get to Mars yourself, then you can bet your sweet euphamism that every
Martian hacker that side of Olympus Mons is gangprobing your machines.

Correlary:  If you can't get physical access to your own boxen, you've
already got other problems.  Upgrade paths should always be under
a couple kilometers.


I think you're a tad confused here ;> It's not a matter of not being able
to get physical access to the boxes - it's a matter of being able to easily
access said boxes.

It's certainly possible to fly someone out to handle the remote boxes each
and every time there's an issue - but that scales poorly, at best.

This is what Kerckhoff called (in another context) an illusory complication.
Do you really imagine that there are that many evildoers who -would-
get physical access to a machine and boot off media but -wouldn't- slap
a CD drive into the box, bring a spare hard drive to boot off of, or just
walk off with the whole box (or the physical media in it)?

Don't get me wrong---all other things being equal (which they never are),
I'll doing any little thing I can think of to make things difficult for
the adversary.  But there's a difference between low-level annoyance
measures and things which constitute actual preventative measures.  Not
having a CD drive in a box is of the former sort.


I do in fact imagine that there are many evildoers who don't regularly
carry around cdroms or hard drives that function correctly in all manner
of boxes ;> Picking up and carrying the box out seems far more likely to
me (but is also much, much more visible, in relative terms).

This also depends on the type of machine that you commonly deploy, of
course ;>

cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet.  This is the defining metaphor of my life right now."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Securing a Linux Firewall, (continued)
- - - Re: Securing a Linux Firewall Marcus J. Ranum (Jul 23)
    - Re: Securing a Linux Firewall Brian Hatch (Jul 23)
    - Re: Securing a Linux Firewall Carson Gaspar (Jul 24)
    - Re: Securing a Linux Firewall BORBELY Zoltan (Jul 24)
    - RE: Securing a Linux Firewall Bill Royds (Jul 24)
    - Re: Securing a Linux Firewall Kyle R. Hofmann (Jul 24)
    - Re: Securing a Linux Firewall Stephen P. Berry (Jul 26)
    - Re: Securing a Linux Firewall R. DuFresne (Jul 26)
    - Re: Securing a Linux Firewall Gwendolynn ferch Elydyr (Jul 24)
    - Re: Securing a Linux Firewall Stephen P. Berry (Jul 25)
    - Re: Securing a Linux Firewall Gwendolynn ferch Elydyr (Jul 25)
    - RE: Securing a Linux Firewall David Lang (Jul 24)
- RE: Securing a Linux Firewall Bruce Platt (Jul 23)
- RE: Securing a Linux Firewall Roger Marquis (Jul 23)
- Re: Securing a Linux Firewall Marcus J. Ranum (Jul 23)
- RE: Securing a Linux Firewall Ravdal, Stig (Jul 24)