On Thu, 24 Jan 2002, Jon Clausen wrote: <snip> > scheme, though: > > 1. A laptop is inherently in danger of getting 'lost'. If that should happen, > having the laptop (and the firewall) being configured so the laptop has a > (semi) automatic capability to write to hosts.allow would maybe make it a > little too easy for anyone who happens to 'find' it to gain access to the > firewall... >
This is worrisome, and I have had a laptop walk off before. > 2. Said laptop might very well be some sort of windows-entity. And although > one *might* be able to create such a script for that platform, I would *not* > like the idea of letting windows have root-access to my firewall... If you > know what I mean. > This threat depends on the hosts involved; my work laptop is a Win2K installation using Perl or bash on Cygwin for any scripting needs (mainly creating PDFs and bzip2 backups). It'd be a funny rootkit that looked for Cygwin... but if the script is written as a DOS batch file (is that possible?) or set up with some super easy "click here to steal my stuff" icon.... > Maybe I'm just too paranoid, or maybe it's just that I'm a newbie in this > field, but writing to hosts.allow like that, on a routine basis... it just > seems... well... insecure? > Well if you really wanted it secure it'd be powered off :-) All of the ideas that have been posted can be compromised by a sufficiently determined bad guy, the point is to make it harder than the probable attacker will want to deal with. So if you look at laptop theft, chances are good they will spend an hour looking around for goodies, then wipe it for their own use or fence it (though apparently there are mouth-breathers that just use the stolen laptop and get caught, like that thing on /. today). > I must say that I like the idea better, of having a script on the firewall > listen on a predetermined port, for some kind of identifier, and then open up > for traffic from the laptop IP. And having this happen dynamically, so you > get one session at a time... > And of course the loophole closes after an hour. It would be really nifty to make the port increment by your favorite number every time you use it :-) Too bad my work has a good security policy, I can't get shell to save my life so I can't use all these tricks :-) > > If the laptop is on a private network, then the script uses > > the NAT gateway ip. Determinig the NAT ip could get tricky, > > but can be done easily enough with a script that when called > > makes traffic to somewhere that responds with the NAT ip. > > Sounds reasonable. Something like calling whatismyip.com or somesuch > perhaps? > > This is getting very interesting :) > > Jon > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > -- Jack Coates Monkeynoodle: A Scientific Venture... _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user