Re: [fw-wiz] Securing a Linux Firewall

From: Stephen P. Berry (spb@meshuggeneh.net)
Date: 08/01/02


To: Carson Gaspar <carson@taltos.org>
From: "Stephen P. Berry" <spb@meshuggeneh.net>
Date: Thu Aug  1 21:52:42 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Carson Gaspar writes:

>> There's an analogous situation in administering machines over a
>> network---if you don't own the biggest pipe with the lowest latency
>> between you and your machines, eventually you're going to find yourself
>> unable to talk to them.

>Only if your attackers have access to you management pipe. Which should not
>be the case in a very robust network. Out-of-band management is a must.

This is my point, yes.

>It is cost prohibitive to have trained security staff at every physical
>location, given a large multinational organization.

Perhaps this is just me being confused again, but I thought we were
talking about the viability of getting a CD into a box for booting
off read-only media/obtaining debugging tools for use with one of
our hotly-contested minimally installed OSes/that sort of thing.
That's the kind of detail a firewall-wizard delegates to one of his
firewall-tarsiers, never having to leave the steely bowels of his
Fortress of Solitude.

My point was that if you don't even have that sort of access to your
boxen (i.e., if someone has to get into a plane when a box needs to be power
cycled), then you've got all sorts of other problems beyond being unable
to boot/debug via CD. Including (as per my example) but not limited to
physical security.

>In my case, CD-ROM drives were yanked because they failed more often than
>hard drives did, and they hung the SCSI bus when they died, taking out the
>entire system.

This is a valid point. If this a deciding factor for you, you might
consider something like a SCSI switchbox with an external CD drive. I've
used this sort of setup when I've had to have old DAT drives connected
to boxen with high availability requirements. The DAT drives would go
casters-up on a semiregular basis, and spam the bus with SCSI resets
when they were quote working unquote. One of those SCSI switches that
allows you to connect and disconnect external devices without bouncing
the boxen really helps.

- -spb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9SeKWG3kIaxeRZl8RAuGUAJ49hhcvnm5zAD2aOr4O1jSvFtpKCQCfbhOG
vW6ntTVEDUQ5S0UWwUVEvRU=
=2slW
-----END PGP SIGNATURE-----