Re: [cobalt-security] Using a separate machine for firewalling.

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi Jan,

> > > A little tip we run a Sun Solaris 7 OS from the CD drive I'd love to
> > > see a hacker compromise the firewall and the add anything of any use :)
>
> This gains you a little bit more security and helps against the unlikely
> event that someone actually compromises the 'firewall' (if you prefer to
> call a off-the-shelf OS-based solution such a thing)

Hey, hold it right there, my friend. :o) I didn't suggest that solution, nor 
do I use it. I also mentioned my reasons for not using it. And I agree with 
you that it doesn't result in an all around security package for the very 
same reasons you stated.

> I actually implemented such a thing two years ago (it was my first project
> at my current employer) with regular linux OS components (at that time, it
> was based on Red Hat binaries), but as I said, the effort gains you very
> few. If you have no services running on the linux-based firewall, there's
> only a very subtle difference. Remember, the wiley hackers' main objective
> is NOT hacking your firewall and fiddling with your rulesets, but gaining
> r3wt on one of your boxen.

You see ... if you had followed up on my earlier message you'd have noticed 
that my firewall runs very little services. Just squid, ipchains, openssh, 
does NAT for the internal net,  **** denies all connections which originate 
from the internet ****, has no inedt, no RPM, no compiler and even no kernel 
header files.

So even if someone gains root access, he can do next to nothing with it. He 
can't download files to the box, because no ftp-client is installed. He can't 
upload files, as no service would take the files, because no demons
(ftp, apache, samba. nfs and so on) are installed. He can't compile anything, 
because no compiler is present. Even if he manages to get a compiler onto the 
box, he still can't compile, because without kernel header files the compiler 
fails. So for a hacker this box is next to unuseable. He can of course 
destroy it, but hey ... that's what backups are for.

> And just hope that machine does not get compromised by someone exploiting a
> BIND, RPC or whatever hole on one of the machines reachable from the
> outside.

That's why I configured mine to:

**** deny all connections which originate from the internet ****

Compromise that. ;o) As I don't yet offer any services from my network at 
home to the internet I can afford to be that restrictive. But once you poke a 
hole into the firewall you'll have to live with the fact that a leak is a 
leak - which can result in floodings, wet feet or even worse desasters. ;o)

> This should be entirely possible by using a floppy disk or some such media
> for configuration data. I believe you had already mentioned that before.

Yes, I had. But maybe you're just as tired at the moment as I am. No hard 
feelings, Jan, but somehow I guess you hit reply on the wrong message. ;o)

-- 

Mit freundlichen Grüßen / With best regards

Michael Stauber

 Stauber Multimedia Design ____ Phone:  +49-6081-946240
 Eppsteiner Weg 9 ___  D-61267 Neu-Anspach ___ Germany
 SMD.NET ___ SOLARSPEED.NET ___ FORUMWORLD.COM