[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Using a separate machine for firewalling.
- Subject: Re: [cobalt-security] Using a separate machine for firewalling.
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Tue, 24 Jul 2001 04:59:55 +0200
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Jan,
> > > A little tip we run a Sun Solaris 7 OS from the CD drive I'd love to
> > > see a hacker compromise the firewall and the add anything of any use :)
>
> This gains you a little bit more security and helps against the unlikely
> event that someone actually compromises the 'firewall' (if you prefer to
> call a off-the-shelf OS-based solution such a thing)
Hey, hold it right there, my friend. :o) I didn't suggest that solution, nor
do I use it. I also mentioned my reasons for not using it. And I agree with
you that it doesn't result in an all around security package for the very
same reasons you stated.
> I actually implemented such a thing two years ago (it was my first project
> at my current employer) with regular linux OS components (at that time, it
> was based on Red Hat binaries), but as I said, the effort gains you very
> few. If you have no services running on the linux-based firewall, there's
> only a very subtle difference. Remember, the wiley hackers' main objective
> is NOT hacking your firewall and fiddling with your rulesets, but gaining
> r3wt on one of your boxen.
You see ... if you had followed up on my earlier message you'd have noticed
that my firewall runs very little services. Just squid, ipchains, openssh,
does NAT for the internal net, **** denies all connections which originate
from the internet ****, has no inedt, no RPM, no compiler and even no kernel
header files.
So even if someone gains root access, he can do next to nothing with it. He
can't download files to the box, because no ftp-client is installed. He can't
upload files, as no service would take the files, because no demons
(ftp, apache, samba. nfs and so on) are installed. He can't compile anything,
because no compiler is present. Even if he manages to get a compiler onto the
box, he still can't compile, because without kernel header files the compiler
fails. So for a hacker this box is next to unuseable. He can of course
destroy it, but hey ... that's what backups are for.
> And just hope that machine does not get compromised by someone exploiting a
> BIND, RPC or whatever hole on one of the machines reachable from the
> outside.
That's why I configured mine to:
**** deny all connections which originate from the internet ****
Compromise that. ;o) As I don't yet offer any services from my network at
home to the internet I can afford to be that restrictive. But once you poke a
hole into the firewall you'll have to live with the fact that a leak is a
leak - which can result in floodings, wet feet or even worse desasters. ;o)
> This should be entirely possible by using a floppy disk or some such media
> for configuration data. I believe you had already mentioned that before.
Yes, I had. But maybe you're just as tired at the moment as I am. No hard
feelings, Jan, but somehow I guess you hit reply on the wrong message. ;o)
--
Mit freundlichen Grüßen / With best regards
Michael Stauber
Stauber Multimedia Design ____ Phone: +49-6081-946240
Eppsteiner Weg 9 ___ D-61267 Neu-Anspach ___ Germany
SMD.NET ___ SOLARSPEED.NET ___ FORUMWORLD.COM