> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Paul D. Robertson > Sent: Wednesday, June 12, 2002 1:44 PM > To: Ben Nagy > Cc: [EMAIL PROTECTED] > Subject: RE: firewall logging > > > On Wed, 12 Jun 2002, Ben Nagy wrote: > > > I'll put all this more simpy - every scheme to provide > "authenticated" > > logs needs to use something secret. If it's onsite, then the secret > > isn't safe, and the logs just can't be trusted by an outsider. > > I think it's possible to do up a scheme with a TCB that makes > the bar high > enough that it's essentially tamper resistant[...] > > Ideally, it'd include tamper resistant hardware, though that > really just > wants something like the flash RAM epoxied to the motherboard > and a custom > BIOS, as well as a physical tamper alarm on the case (I'll spare the > boring thoughts there.) Given that, so that physical boots are an > auditable event and there's a write-only BIOS area (enforced by the > BIOS/OS) with some shared public/private OS<->BIOS checking > going on (to > stop foreign OS booting, which stops BIOS flashing, which keeps a > relatively good level of integrity in the process, and given > that as a > mechanism for seeding the encryption of the filesystem(s), with only > things in the TCB being able to have the key you get to the > point where > the manager will have much better luck slipping half a kilo > of $narcotic > in your car.
Nice box. Ok, I'll pay a point for that. > Sure, you could go out, buy the equipment to monitor the RF, > see the key > exchange, get a newfangled crypto cracking machine and break > the keys, > overcome the physical tampering alerts, whip out the drive, add your > "evidence," unepoxy the flash, remove the downtime record, > then put it all > back in place- but at that point the cost of the attack is > well outside of > the realm of sanity. It'd be easier to fake video of you > carrying off the > machine at that point. I don't think I have to go that far. I can probably subvert the OS through whatever the ultimate root account is, get the key from RAM and fiddle the HDD logs and then spam the flash log (multiple power events, or lots of something else that's audited). Or I can trojan the app that reads back the flash log. You could stop this with the BIOS, but then you can never legitimately upgrade your software. But yes, we're being silly. My main point is that we can now only trust the logs from this one tamper-proof machine. If it's supposed to be a hardened log collector then obviously I just mess with the input stream at the network end. The same goes for getting the logs _out_ of this box in a secure manner, probably. I'll believe it all when someone makes a firewall like that, though. ;) [...] Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
