Re: [fw-wiz] Securing a Linux Firewall

From: Carson Gaspar (carson@taltos.org)
Date: 07/31/02


From: Carson Gaspar <carson@taltos.org>
To: firewall-wizards@honor.icsalabs.com
Date: Wed Jul 31 21:17:20 2002


--On Tuesday, July 30, 2002 5:02 PM -0700 "Stephen P. Berry"
<spb@meshuggeneh.net> wrote:

> There's an analogous situation in administering machines over a
> network---if you don't own the biggest pipe with the lowest latency
> between you and your machines, eventually you're going to find yourself
> unable to talk to them.

Only if your attackers have access to you management pipe. Which should not
be the case in a very robust network. Out-of-band management is a must.

> At any rate, longer or more difficult physical access paths mean longer
> response times. This in turn means that an evildoer can accomplish more
> before you can react, and they have a better chance of being able to
> cover their tracks (figuratively or literally). If you're a plane ride
> away from a box, not only does the evildoer have the time to slap a
> CD drive in it and boot off removable media---they have time to show
> up, discover the machine doesn't have a drive, head over to the
> nearest parts store, buy a CD drive, fill out the registration card, get
> the mail-in rebate, then return to compromise your box...and still get
> out before you're through security at the airport.

It is cost prohibitive to have trained security staff at every physical
location, given a large multinational organization.

> In any case, if you're pulling the CD drive as a preventative measure,
you're
> already assuming the evildoer is familiar with the OS and hardware and
> has boot media with them. I agree that there are many evildoers who
don't fit

In my case, CD-ROM drives were yanked because they failed more often than
hard drives did, and they hung the SCSI bus when they died, taking out the
entire system.

-- 
Carson