[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Using a separate machine for firewalling.

Subject: Re: [cobalt-security] Using a separate machine for firewalling.
From: Jan P Tietze <jptietze@xxxxxxxxxxx>
Date: Mon, 23 Jul 2001 21:33:01 +0200
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Michael Stauber wrote:

> Hi Malcom,
>
> > A little tip we run a Sun Solaris 7 OS from the CD drive I'd love to see a
> > hacker compromise the firewall and the add anything of any use :)

This gains you a little bit more security and helps against the unlikely event
that someone actually compromises the 'firewall' (if you prefer to call a
off-the-shelf OS-based solution such a thing) instead of some exploiting a hole
in some unlucky but (intentionally!) accessible service on one of your
supposedly 'protected' boxes... I am not trying to be a cynic, but just running
the system from a CDROM is not going to gain you with regard to the security of
your *network*, it just adds *some* (marginal) amount of security to the
firewall itself; which is, ultimately, not really the system whose protection is
most critical.

> hehehe ... yes, that sure works in your favour. I thought about a similar
> setup for a while, too. You could always store configfiles on a floppy and
> some shareware or open source firewalls use this kind of setup.

I actually implemented such a thing two years ago (it was my first project at my
current employer) with regular linux OS components (at that time, it was based
on Red Hat binaries), but as I said, the effort gains you very few. If you have
no services running on the linux-based firewall, there's only a very subtle
difference. Remember, the wiley hackers' main objective is NOT hacking your
firewall and fiddling with your rulesets, but gaining r3wt on one of your boxen.

> For those who worry about not being able to store logfiles: That's easy to
> settle. Forward and store them on another Linux machine inside the protected
> network.

And just hope that machine does not get compromised by someone exploiting a
BIND, RPC or whatever hole on one of the machines reachable from the outside.

> My reason not to go for it was that I'd like to twist the configuration from
> time to time to test new stuff.

This should be entirely possible by using a floppy disk or some such media for
configuration data. I believe you had already mentioned that before.

Jan

Follow-Ups:
- Re: [cobalt-security] Using a separate machine for firewalling.
  - From: Michael Stauber

References:
- RE: [cobalt-security] Using a separate machine for firewalling.
  - From: malcolm wild
- Re: [cobalt-security] Using a separate machine for firewalling.
  - From: Michael Stauber

Prev by Date: Re: [cobalt-security] user name = user
Next by Date: [cobalt-security] Fw: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
Previous by thread: Re: [cobalt-security] Using a separate machine for firewalling.
Next by thread: Re: [cobalt-security] Using a separate machine for firewalling.

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index