Re: [fw-wiz] Linux Firewall on CD

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 07/12/03

  • Next message: Paul Robertson: "Re: [fw-wiz] Linux Firewall on CD"
    To: Paul Robertson <proberts@patriot.net>, james mcdermott <bklynjames@hotmail.com>
    Date: Fri, 11 Jul 2003 22:11:24 -0400
    
    

    Paul Robertson wrote:
    >Usually, CD bootable systems use
    >a RAM Disk- so an attacker can easily keep things in memory, and the only
    >thing you really gain is disinfection with a reboot- however you're still
    >vulnerable to the original attack, so the gain from running off a CD is
    >pretty negligable from a security perspective.

    Depends on how it's done, really. The CD bootable systems I used
    to build chrooted off the RAM disk onto the CD image, so there was
    no RAM disk to mess with, and there weren't any device nodes except
    for the bare minimum since the device nodes needed to mount the
    CD and hard disk were back in the RAM disk behind the chroot. If you
    mount the hard disk noexec, and the CD image isn't writeable, it's
    pretty hard to screw around with the system. Of course, one can
    always conjure up a scenario involving an infinitely clever attacker
    exploiting an infinite number of design flaws so in theory no firewall
    will ever be secure.

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul Robertson: "Re: [fw-wiz] Linux Firewall on CD"

    Relevant Pages

    • Re: Prevent command prompt from popping up at system startup
      ... I think 1G RAM is way enough to cover any XPe system that is properly setup - caches are off, ... you should be pretty safe from the overlay size standpoint. ... would be hard to estimate how big the EWF overlay can be. ... Another approach that sometimes is useful and less risky than EWF RAM is in using RAM disk for storing most of heavy system settings ...
      (microsoft.public.windowsxp.embedded)
    • Re: numbers dont lie ...
      ... you should have sufficient RAM ... your benchmark won't be happy. ... the buildworld, so it is in the cache. ... a RAM disk for it is a win. ...
      (freebsd-hackers)
    • Re: What did microprocessors cost in the 70s?
      ... extra RAM was set up as a RAM disk. ... RAM disk with my work files so that when I ran my make.bat ... just because of that card. ... I remember paying $180 for a 1K memory expansion board for one of my early ...
      (rec.games.pinball)
    • Re: What did microprocessors cost in the 70s?
      ... extra RAM was set up as a RAM disk. ... RAM disk with my work files so that when I ran my make.bat ... just because of that card. ... I remember paying $180 for a 1K memory expansion board for one of my ...
      (rec.games.pinball)
    • Re: Authentication on both sides
      ... > What I said was that all the attacker has to do is read the keys out of the ... to encrypt the executable/library format, ... and to encrypt all dynamic drivers/modules. ... execution from RAM). ...
      (sci.crypt)