Re: [fw-wiz] Securing a Linux Firewall

From: Carson Gaspar (carson@taltos.org)
Date: 07/31/02 

From: Carson Gaspar <carson@taltos.org>
To: firewall-wizards@honor.icsalabs.com
Date: Wed Jul 31 21:17:20 2002

--On Tuesday, July 30, 2002 5:02 PM -0700 "Stephen P. Berry"
<spb@meshuggeneh.net> wrote:

> There's an analogous situation in administering machines over a
> network---if you don't own the biggest pipe with the lowest latency
> between you and your machines, eventually you're going to find yourself
> unable to talk to them.

Only if your attackers have access to you management pipe. Which should not
be the case in a very robust network. Out-of-band management is a must.

> At any rate, longer or more difficult physical access paths mean longer
> response times. This in turn means that an evildoer can accomplish more
> before you can react, and they have a better chance of being able to
> cover their tracks (figuratively or literally). If you're a plane ride
> away from a box, not only does the evildoer have the time to slap a
> CD drive in it and boot off removable media---they have time to show
> up, discover the machine doesn't have a drive, head over to the
> nearest parts store, buy a CD drive, fill out the registration card, get
> the mail-in rebate, then return to compromise your box...and still get
> out before you're through security at the airport.

It is cost prohibitive to have trained security staff at every physical
location, given a large multinational organization.

> In any case, if you're pulling the CD drive as a preventative measure,
you're
> already assuming the evildoer is familiar with the OS and hardware and
> has boot media with them. I agree that there are many evildoers who
don't fit

In my case, CD-ROM drives were yanked because they failed more often than
hard drives did, and they hung the SCSI bus when they died, taking out the
entire system. 

-- 
Carson

Relevant Pages

  • (OT)Re: Cottage industry suggestion.. [long]
    ... no real limit to the amount of cards and drives that I can daisychain into i ... machines caddies should the fileserver fall over. ... more power than the existing setup. ... Yes - Noise for me is the killer - I don't mind power consumption too much ...
    (uk.tech.digital-tv)
  • Re: Low end desktop for EE tasks?
    ... the two machines are guaranteed to diverge. ... Attached HDD and started up but BIOS doesn't detect HDD or CDR. ... Have to install W98 first from CD to install XP ... BIOS only detects one of the CD drives so Windows CD in. ...
    (sci.electronics.design)
  • Re: Low end desktop for EE tasks?
    ... the two machines are guaranteed to diverge. ... Attached HDD and started up but BIOS doesn't detect HDD or CDR. ... Have to install W98 first from CD to install XP ... BIOS only detects one of the CD drives so Windows CD in. ...
    (sci.electronics.design)
  • Re: Printer problems....
    ... There used to be a running joke at one of my previous jobs. ... When we purchased 20 PC's, on one purchase order from a company, they'd send us 20 PC's with "identical specification". ... The first thing we'd do it take the lids off, and see that we had 20 "Similair" machines, no two would have the same configuration. ... There'd be at least 5 different motherboards, 5 different CD-Roms, we were lucky to get 2 floppy drives of the same brand, 2 or maybe 3 hard drives all different sizes. ...
    (sci.electronics.design)
  • Re: Best strategy hard drive swapping?
    ... >>> without USB. ... >>> swapping of drives from one machine to another. ... temperatures with the case open or closed on most machines. ... The propagation velocity in ...
    (comp.sys.ibm.pc.hardware.storage)