Firewalls: Re: linux based firewall cookbook...

Firewalls
(April 1998)

Indexed By Thread: [Previous] [Next]

Subject:	Re: linux based firewall cookbook...
From:	"Dana M. Epp" <eppdm @ netmaster . ca>
Organization:	NetMaster Networking Solutions, Inc
Date:	Sun, 29 Mar 1998 11:58:16 -0800
To:	Magic Man <magicman @ rarebird . net>
Cc:	Daniel Todd <DanielT @ corp . usweb . com>, firewalls @ greatcircle . com
References:	<365DC84A57F3D01187E700805FC19048A2A99D @ mailhub . corp . usweb . com> <351BC07B . 80676CF5 @ rarebird . net>

*Sigh*

Ok, first off, in a regime in which you are applying serious security, physical
security is a large portion of the security managment. You can pretty well hack
into any system if you sit right at the damn thing. If someone can boot off a root
disk in Linux.. you already blew away three key security policies one should have.

#1) Physical security to the machine.
#2) Installing or Mounting devices not required. If you don't physically remove
the drives, you could be in trouble. Now, realisitically this is an extra step
since physical security shouldn't be compromised in the first place. Anyways, long
story short, you can boot off a CDRom, floppy or even the harddrive if you got
physical security. (Not hard to remove the hard disk if you're at the console.)
#3) Mounting FAT on ANY sort of "secure" machine :)

OK, OK. Lecture over. However, assuming one can not hack your box because you have
no floppy really is asking for trouble. There are a few HOWTOs on how to
compromise Linux by simply mounting the file system after the fact, changing root
passwd to "" and rebooting. At that point.. the machine is yours. Takes about 3
minutes to take the cover off... so don't assume physical security is NOT an
issue, I've seen people carry harddrives around just for such occassions. 

BTW, I am curious to know WHY someone would have FAT of any sort in a machine used
in a security policy. I must have missed the original message, since I can not
fathem WHY it would be used in the first place.

Magic Man wrote:
> 
> Daniel Todd wrote:
> 
> > This prevents having an insecure msdos file system on your box which is
> > the "easy" thing to do with tarballs.  It is especially dangerous if it
> > is your root fs.  You really don't want a root fs that can be edited by
> > booting off a DOS floppy.
> 
> If a floppy can be booted, then security is compromised right there.  I
> can boot any kind of OS via floppy and modify an internal filesystem.
> 
> My firewall box has no floppy drive installed at all.  I plugged one in
> for the initial install...but it was immediately removed and there's
> nothing on the box but a couple of LEDs and a power switch.
> 
> --
>         .\\agic .\\an
>         Rarebird Consulting Services

-- 
Dana M. Epp

NetMaster Networking Solutions, Inc.
eppdm @
 netmaster .
 ca
http://www.netmaster.ca

" Connecting networks to the Internet..."

Follow-Ups:

Re: linux based firewall cookbook...
From: "Greg Barnes" <greg_barnes @ ins . com>

Indexed By Date	Previous:	SECURITY ADMINISTRATOR From: rkizer @ sddpc . org (Kizer, Randall)
Indexed By Date	Next:	masquerading on NT From: Fyodor <fygrave @ freenet . bishkek . su>
Indexed By Thread	Previous:	SECURITY ADMINISTRATOR From: rkizer @ sddpc . org (Kizer, Randall)
Indexed By Thread	Next:	Re: linux based firewall cookbook... From: "Greg Barnes" <greg_barnes @ ins . com>