On 08/30/2017 05:17 PM, [email protected] wrote: >> Please also note that any remote administration command can only >> be received through networking, so proper firewalling (ipv6 may >> complicate things - prepare your studies in advance) and monitoring >> may help great lengths. Also, do avoid using x86-based >> firewalls/routers... ;) >> >> -- Alex > > Just to be clear for beginners - this means that if you're running > Qubes on an x86 processor, you cannot trust Qubes as a firewall to > prevent IME remote administration. > > You would need a separate device to act as a firewall. Most routers > have recently been shown to be compromised in similar ways. It will > be difficult, but should be possible, to find a device that is secure > given current knowledge. >
You are right. With "proper firewalling" I was implying separate physical hardware, and that was the basis for "avoid x86 based firewalls". There's no isolation benefit with a software firewall if the remote administration packets are received by the local network adapter, since the "zombie RAT fungus" (Intel ME) fiddles with PCI devices on its own. -- Alex -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b44e3cd5-cb86-613c-2c4e-2e98c3244339%40gmx.com. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
