Re: [fw-wiz] Linux Firewall on CD

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 07/12/03

  • Next message: Paul Robertson: "Re: [fw-wiz] Linux Firewall on CD"
    To: Paul Robertson <proberts@patriot.net>, james mcdermott <bklynjames@hotmail.com>
    Date: Fri, 11 Jul 2003 22:11:24 -0400
    
    

    Paul Robertson wrote:
    >Usually, CD bootable systems use
    >a RAM Disk- so an attacker can easily keep things in memory, and the only
    >thing you really gain is disinfection with a reboot- however you're still
    >vulnerable to the original attack, so the gain from running off a CD is
    >pretty negligable from a security perspective.

    Depends on how it's done, really. The CD bootable systems I used
    to build chrooted off the RAM disk onto the CD image, so there was
    no RAM disk to mess with, and there weren't any device nodes except
    for the bare minimum since the device nodes needed to mount the
    CD and hard disk were back in the RAM disk behind the chroot. If you
    mount the hard disk noexec, and the CD image isn't writeable, it's
    pretty hard to screw around with the system. Of course, one can
    always conjure up a scenario involving an infinitely clever attacker
    exploiting an infinite number of design flaws so in theory no firewall
    will ever be secure.

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul Robertson: "Re: [fw-wiz] Linux Firewall on CD"

    Relevant Pages

    • Re: Is this Intel i7 machine good for LTSpice?
      ... With 32GB of RAM I'd have gobs of unused memory. ... portion of RAM into a RAM disk. ... reason to do a RAM disk. ... software RAID is one reason to use error detecting RAM.] ...
      (sci.electronics.design)
    • Re: Prevent command prompt from popping up at system startup
      ... I think 1G RAM is way enough to cover any XPe system that is properly setup - caches are off, ... you should be pretty safe from the overlay size standpoint. ... would be hard to estimate how big the EWF overlay can be. ... Another approach that sometimes is useful and less risky than EWF RAM is in using RAM disk for storing most of heavy system settings ...
      (microsoft.public.windowsxp.embedded)
    • Re: Is this Intel i7 machine good for LTSpice?
      ... portion of RAM into a RAM disk. ... software RAID is one reason to use error detecting RAM.] ... I still have one PC that has classic SCSI on the back to use with my now ancient once state-of-the-art Nikon slide scanner. ...
      (sci.electronics.design)
    • Re: numbers dont lie ...
      ... you should have sufficient RAM ... your benchmark won't be happy. ... the buildworld, so it is in the cache. ... a RAM disk for it is a win. ...
      (freebsd-hackers)
    • Re: What did microprocessors cost in the 70s?
      ... extra RAM was set up as a RAM disk. ... RAM disk with my work files so that when I ran my make.bat ... just because of that card. ... I remember paying $180 for a 1K memory expansion board for one of my early ...
      (rec.games.pinball)