I recall reading an interesting article long ago about "halted" routers. The concept, as I recall, was to boot a minimal Linux system, establish the network, routing, and firewall rules, then halt the system without powering off and without disabling the networking. A vestige of the kernel would remain running in memory, with no disk, no I/O other than networking, pretty much all kernel modules unloaded except for networking.
As I understood it, halting meant that the cpu was in a tight busy loop until the machine was powered off or hardware-reset. By configuring the init scripts so they don't disable networking or the ethernet card, the halted system would continue running the kernel's routing and firewall code. Thus, essentially nothing is running that an attacker could leverage. It seemed like an interesting approach for designing a firewall. I have no idea if it ever went beyond a proof of concept. On Sat, Feb 1, 2014 at 3:35 AM, Peter (peabo) Olson <[email protected]> wrote: > On February 1, 2014 at 2:42 AM Tom Metro <[email protected]> wrote: > > Is running applications on your router really such a good idea? > > > > > http://gigaom.com/2014/01/31/in-a-distributed-world-cache-is-king-why-routers-are-becoming-the-new-server/ > > [...] > > Cisco's IOx architecture will be a Linux-based operating system that > > will be embedded in forthcoming industrial routers. > > > > And unlike its previous box software, Cisco says it plans to open the > > IOx architecture up for others to run their own applications on > > A router should be a router. Allowing applications to run on it invites > serious > security risks. > > I want to go in the other direction. I think there is already stuff I > would > like to disable by deleting it. It is a truism that an attacker cannot > attack a > program/feature which isn't installed on the victim. > > peabo > _______________________________________________ > Discuss mailing list > [email protected] > http://lists.blu.org/mailman/listinfo/discuss > -- John Abreau / Executive Director, Boston Linux & Unix Email: [email protected] / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6 PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23 C2D0 E885 E17C 9200 63C6 _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
