On Tue, Feb 27, 2001 at 09:18:25PM +1100, Terry Collins wrote:
> > Mount partitions read only where possible.
> > I guess this is a good idea, but in what situation would this add security?
> > You need to be root to be able to write to the partitions that I could mount read
> > only, and if someone gets root, they can remount partitions read write.
>
> For a firewall, you want to prevent anyone being able to fiddle with it
> and one way is to prevent people writing to it is to make it read only.
Non root users can't write to it because of file permissions, root users
can remount it read write. You haven't convinced me. Reading other peoples
responses I can see some value in it.
> Tricks like Remote logging,
Are you talking about syslog out a serial port?
Is that a trick?
> temporary files in ram,
I guess I should check the archives for this one.
> boot off CD,
If someone has physical access there is little that you can
do to stop them getting in. You could slow them down but thats all.
ie password protect the bios, disable booting off removable media,
password protect lilo, etc. But that still doesn't protect the box
from physical access. And if someone has physical access, why bother
with the firewall at all? Just disconnect the firewall and plug a laptop
in.
> > Remove man pages.
> > Again, I can't see the harm in doing this, but I can't see the point.
>
> If you don't know what to do, why are you fiddling with box.
I may not know as much as someone like yourself, but that is the reason we got
the security audit.
> Basically,
> if someone gets in, man pages help them know the particular variety of
> your box.
Are you serious? if someone gets in the game is over, they already know enough
about the box, wouldn't you say?
There are bigger give aways than man pages though.
less /var/lib/dpkg/status, and I assume a similar way for redhat.
> > Remove unnecessary binaries.
> > A good idea no doubt, but the firewall doesn't allow shell access, and the
> > way I see it is if someone gets shell access they can upload their own bin's.
>
> Yes, but they still have to upload them, which takes time, which
> increase the chances of discovery, etc. If you don't need it, then it
> shouldn't be there.
I agree, but really, you're over stating how hard it is to upload files.
> > It doesn't mention it in the report, but would mounting /home, /tmp and /var with
> > noexec help? It might stop a non root user from running their own programs, but it
> > won't stop root.
>
> Are we talking about a firewall or what.
> There shouldn't be any users on the firewall.
We have had to make some compromises, time, money, usability are all facters
that needed to be considered. At the moment its part firewall, part bastion
host. The only daemon running at the moment is sshd, and thats to allow X. X
isn't secure, but its needed, we have made a compromise. Using sshd for X
forwarding may not be the best way, but it was the quickest and cheapest way,
another compromise.
Users can't get an interactive shell on the firewall, at least thats the aim.
We are in the near future going to remove X forwarding via ssh and remove the
need for having user accounts on the firewall.
We have been advised to run ntp on the firewall so log time stamps are in
sync. Another potential access point.
--
chesty
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
