Re: [fw-wiz] Linux Firewall on CD

• Previous message: Jim McAtee: "[fw-wiz] OpenSource Firewall for ISP or Webhost"
• In reply to: Paul Robertson: "Re: [fw-wiz] Linux Firewall on CD"
• Next in thread: Paul Robertson: "Re: [fw-wiz] Linux Firewall on CD"
• Reply: Paul Robertson: "Re: [fw-wiz] Linux Firewall on CD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Paul Robertson <proberts@patriot.net>, james mcdermott <bklynjames@hotmail.com>
Date: Fri, 11 Jul 2003 22:11:24 -0400

Paul Robertson wrote:
>Usually, CD bootable systems use
>a RAM Disk- so an attacker can easily keep things in memory, and the only
>thing you really gain is disinfection with a reboot- however you're still
>vulnerable to the original attack, so the gain from running off a CD is
>pretty negligable from a security perspective.

Depends on how it's done, really. The CD bootable systems I used
to build chrooted off the RAM disk onto the CD image, so there was
no RAM disk to mess with, and there weren't any device nodes except
for the bare minimum since the device nodes needed to mount the
CD and hard disk were back in the RAM disk behind the chroot. If you
mount the hard disk noexec, and the CD image isn't writeable, it's
pretty hard to screw around with the system. Of course, one can
always conjure up a scenario involving an infinitely clever attacker
exploiting an infinite number of design flaws so in theory no firewall
will ever be secure.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Jim McAtee: "[fw-wiz] OpenSource Firewall for ISP or Webhost"
• In reply to: Paul Robertson: "Re: [fw-wiz] Linux Firewall on CD"
• Next in thread: Paul Robertson: "Re: [fw-wiz] Linux Firewall on CD"
• Reply: Paul Robertson: "Re: [fw-wiz] Linux Firewall on CD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]