On Wed, 1 Nov 2000, Kenneth E. Lussier wrote:
> Have more than one firewall script and run them often.
[...]
> Have your firewall scripts called from unmounted filesystems.
These particular items strike me as security-through-obscurity. While it
might stop a naive script-kiddie with a very simple root kit, it won't stop
much more. There are about a dozen ways I can think of off the top of my head
to neutralize both of these, and I'm far from an expert in such things.
It also violates one of the fundamental rules of security, the KISS
Principle. Keep It Simple! Simple systems are easier to deploy, easier to
maintain, and easier to audit.
You are much better off, IMNSHO, really securing your system, in which case
you don't need this sort of thing, and you reduce administrative overhead.
One very effective technique is to use a read-only system, like the one you
mentioned. Compile your kernel without modules if possible. Remove anything
you don't need from the kernel and the system in general. Log to another
machine. If possible, use a hardware-based write-protect mechanism: Some
hard drives include such a feature as a jumper, which can be conveniently
wired to an external switch. Otherwise, you can fit quite a bit of stuff on a
write-protected floppy disk. :-)
In short, prevent an attacker from changing anything, even if they do
penetrate the security checks.
Unfortunately, while this works very well for a firewall, it is much harder
to do on, e.g., a system hosting dynamically-generated web content. :-(
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
