[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Using a separate machine for firewalling.
- Subject: Re: [cobalt-security] Using a separate machine for firewalling.
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Tue, 24 Jul 2001 15:28:49 +0200
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi shimi,
> Now tell me, what bothers him (i still don't understand how will he
> connect if no services are running at all, and no terminals on the system
> at all) - but - in case that he somehow does - what botehrs him just
> dumping a compiled binary and run it? :-)
> Don't tell me, you erased ch* too ;-)
Tadaaaa. :o) There you got the difference between a CD-driven firewall and
one which runs on a read-write environment like a hardisk <g>. That is
exactly the archilles heel. You can just look at a binary in vi and then copy
and paste it to the target system if it has the same architecture.
On the other hand: When you run the OS off the CD and you got some memory to
burn, what about creating a RAMdisk and using that for the storage of
hacker-binaries?
There will always be ways to make bad things happen once someone has dodged
all the defenses and got root access. But with the proper setup you can make
that so darn difficult that it's quite a challenge. Like denying all
incomming traffic originating from the outside, or with stateful inspection
of packets, which is also quite helpful.
Professional solutions for high risk targets usually include several
firewalls which supervise and control each other. So if someone penetrates
the first, outer firewall, then the next in line will notice this and will
then shutdown the compromised one. I think the freely available SINUS
adaptive firewall operates along those lines, too.
--
Mit freundlichen Grüßen / With best regards
Michael Stauber
Stauber Multimedia Design ____ Phone: +49-6081-946240
Eppsteiner Weg 9 ___ D-61267 Neu-Anspach ___ Germany
SMD.NET ___ SOLARSPEED.NET ___ FORUMWORLD.COM