netbsd-help: Re: r/o filesystem restrictions for firewall?

Subject: Re: r/o filesystem restrictions for firewall?
To: Yubyub bird <jonl@yubyub.net>
From: Berndt Josef Wulf <wulf@ping.net.au>
List: netbsd-help
Date: 10/24/2000 10:48:06
Yubyub bird wrote
> Berndt Josef Wulf said on 2000-10-24:
> 
> [gratuitous snip]
> 
> > Alternatively, if memory isn't much of a problem, create a CD with the
> > desired filesystem and have it boot into a memory-based filesystem.
> 
> I'd like to keep away from any type of local writable storage (save
> memory - but not mfs)... there are just too many ways to bring down files
> to a comprimised system, then use those executables to do further
> damage.  This way, a potential cracker has a limited set of tools at
> his/her/their disposal.
> 
> > Should the system be comprimised or falling over, its a matter of
> > seconds to reboot and have it up and running again.
> 
> Yep.  I'm hoping for that ;-)
> 
> > I don't know about your reasons of not using a local harddisk, but
> > if it is for security reasons, there is nothing stopping anyone
> > breaking into the firewall on any type of system if the opportunity
> > exists due to a flaw in operating system or application.
> 
> Partially that reason - I'd rather not make it easy for the comprimised
> system to host foriegn data (executables, etc...).  No log files to tamper
> with.  No muss, no fuss.  And partially because this thing is gonna be on
> day after day, and a spinning hard drive lays a lot of worry on my mind (I
> know, I know - I'd get rid of the fan if it were easy ;-)
> 
> Mostly I'm just paranoid.  Mostly.

I understand your concerns, but whilst you get rid of the harddisk, it
is still possible to penetrate the system in many other ways. In
in my books the harddisk drive is the least of my problems.

The best you can do is, use a trusted operating system... ;-), remove
all programs and disallow all services not needed for the proper
operation of the firewall. 

Most firewalls are succesfully broken into not because of flawed 
binaries or operating systems, but incorrect configuration.

And after going through all this pain, you will be very disappointed
if the system was brought down due to a INSIDER job...

cheerio Berndt
-- 
Name    : Berndt Josef Wulf            | +++ With BSD on Packet Radio +++
E-Mail  : wulf@ping.net.au             |    tfkiss, tnt, dpbox, wampes
ICQ     : 18196098                     |  VK5ABN, Nairne, South Australia 
URL     : http://www.ping.net.au/~wulf | MBOX : vk5abn@vk5abn.#lmr.#sa.au.oc
Sysinfo : DEC AXPpci33+, NetBSD-1.4.2  | BBS  : vk5abn.#lmr.#sa.aus.oc