On Tue, 14 Mar 2000, Paul Brown wrote:
> I must say that I'm a minimalist. I believe a firewall, or any other host
> for that matter, should not contain anything which is does not use.
In this case, one would suppose that the system would use the audit tools
(though they could simply be compiled and placed on the system in binary
form, which may be a better compromise.)
> Today's systems have all kinds of tools loaded because they are general
> computers that can be used for many purposes thus numerous tools need to
> be loaded to make it easy for the user to load and operate. The inherent
> problem is that insecurity is the result.
Insecurity isn't a result of tools on the host, it's a result of poorly
written services, libraries and OS'.
> For firewalls, I like a floppy disk or CD-ROM based system, with no hard
> disk, that only boots the basic system with the appropriate tools included.
> Linux has one called "The Linux Router Project" and it's offshoots.
> FreeBSD has a derivative called PicoBSD. These systems use the bare
> essentials only with no way to write anything to any medium without cutting
> a new floppy or CD-ROM (obviously CD-ROM is a better way to do this). This
> way the hacker cannot modify anything and cannot load his/her own tools.
> This make it very difficult, if not impossible, for the non-cracker elite
> to do much of anything once they get to the firewall.
Don't count on it. It's not that difficult to format a piece of memory
and use it as a RAM disk, mount a remote disk on another compromised
machine, etc. Solving the problem, rather than solving the predominant
symptoms is more difficult than it would first appear.
> Anyway, minimal is the mane of the game. Setup logging (/etc/syslog.conf)
> to log to an internal host. This way you do not have to have a writable
> device on the firewall.
This means that loss of network connectivity to the log host is a good
denial of log attack.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
