[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Using a separate machine for firewalling.
- Subject: Re: [cobalt-security] Using a separate machine for firewalling.
- From: Jan P Tietze <jptietze@xxxxxxxxxxx>
- Date: Mon, 23 Jul 2001 21:33:01 +0200
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Michael Stauber wrote:
> Hi Malcom,
>
> > A little tip we run a Sun Solaris 7 OS from the CD drive I'd love to see a
> > hacker compromise the firewall and the add anything of any use :)
This gains you a little bit more security and helps against the unlikely event
that someone actually compromises the 'firewall' (if you prefer to call a
off-the-shelf OS-based solution such a thing) instead of some exploiting a hole
in some unlucky but (intentionally!) accessible service on one of your
supposedly 'protected' boxes... I am not trying to be a cynic, but just running
the system from a CDROM is not going to gain you with regard to the security of
your *network*, it just adds *some* (marginal) amount of security to the
firewall itself; which is, ultimately, not really the system whose protection is
most critical.
> hehehe ... yes, that sure works in your favour. I thought about a similar
> setup for a while, too. You could always store configfiles on a floppy and
> some shareware or open source firewalls use this kind of setup.
I actually implemented such a thing two years ago (it was my first project at my
current employer) with regular linux OS components (at that time, it was based
on Red Hat binaries), but as I said, the effort gains you very few. If you have
no services running on the linux-based firewall, there's only a very subtle
difference. Remember, the wiley hackers' main objective is NOT hacking your
firewall and fiddling with your rulesets, but gaining r3wt on one of your boxen.
> For those who worry about not being able to store logfiles: That's easy to
> settle. Forward and store them on another Linux machine inside the protected
> network.
And just hope that machine does not get compromised by someone exploiting a
BIND, RPC or whatever hole on one of the machines reachable from the outside.
> My reason not to go for it was that I'd like to twist the configuration from
> time to time to test new stuff.
This should be entirely possible by using a floppy disk or some such media for
configuration data. I believe you had already mentioned that before.
Jan