+ From: Michael Ellis <mkellis @
ritz .
mordor .
com>
+ Subject: Re: Right firewall platform
+ To: wohler @
newt .
com
+ Date: Tue, 9 Aug 1994 18:05:02 -0400 (EDT)
+ Cc: firewalls @
GreatCircle .
COM
+ > Food for thought: wouldn't it be desirable to have a Bastion host
+ > that ISN'T a PC or a workstation running some operating system, but
+ > rather is a standalone system like a cisco router, where you buy a
+ > (potentially cheap) box and configure a couple of interfaces and
+ > some built-in applications (proxy stuff at least). It may also
+ > include a disk and have news and mail in the PROM.
+ How about a UNIX box running its entire OS off of CD-ROM (including
+ root, /usr, and all executables), with disk only used for spool
+ areas. Same effect as said Cisco, with the added benefit that you
+ can 'upgrade' the firewall by slapping in a new CD-ROM.
How about a UNIX box with a *physical* (hardware) write-protect on the
boot drive?? /, /usr, all executables on this drive. Have a 2nd drive
in the box that *is* writable, but it's mounted 'nodev, noexec, nosuid'.
All the 'configuration' files live on the write-protected disk, -even- to
the password file. This is the way I build bastion boxes. I'm a realist;
I have no reason to believe the box is "perfect" - but even if there is a
vulnerability (or more than one), it's going to be *damn* difficult for a
cracker to exploit it, if he can't change anything. And, if anything does
happen, I *will* know about it -- all logging is done -off the box-, thru
a serial connection to a secure machine. Paranoid? Not me, I'm at least
'triplex-noid' <grin> -- for example, I run *both* a 'filtering' 'inetd',
AND 'tcp_wrappers'. Rude suprise for somebody who discovers a way around
*one* of them. <evil laughter>
Robert Bonomi
bonomi @
delta .
eecs .
nwu .
edu <-- guest acct., not presently affiliated with NWU
Follow-Ups:
|
|
