Re: fedora-list@redhat.com
From: ryan (ryanag_at_zoominternet.net)
Date: 03/13/05
- Previous message: Rick Meyer: "RE: How can disable keyboard/unused ports?"
- Maybe in reply to: ryan: "fedora-list@redhat.com"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 13 Mar 2005 10:47:57 +0000 To: rick@workcity.ca
Rick Meyer wrote:
>Yep...., except that the real information that is being transmitted by the
>firewall is inside an encrypted VPN. Also the file system itself is
>encrypted. The firewall won't accept SSH from just any system. It's locked
>down. I'm just trying to make it extremely difficult for an unauthorized
>user to get access to it.
>
>Rick.
>
>| -----Original Message-----
>| From: ryan [mailto:ryanag@zoominternet.net]
>| Sent: Sunday, March 13, 2005 6:16 AM
>| To: fedora-list@redhat.com; rick@workcity.ca
>| Subject: fedora-list@redhat.com
>|
>| "How do I lock or disable unused ports such as keyboard, video and USB
>| ports?
>|
>|
>| Here is the scenario; I have several firewalls built upon Fedora that are
>| in
>| closets physically unmonitored. An unscrupulous individual could plug in
>| a
>| keyboard, mouse and monitor into one of these systems and start getting
>| access to it. Even worse the individual could plug in other devices to
>| log
>| all packets flowing through the firewall. This gives me chills just
>| thinking about it!
>|
>| I would like to disable any I/O devices that aren't actually needed."
>|
>|
>| Way too much work with no tangible benefits. If you did all this, what is
>| to keep a malicious attacker from dropping in a $10 hub, then setting up a
>| monitoring station. He/She could just walk in occaisionally and get the
>| logs off, or worse, set up a cheap access point and just pull into the
>| parking lot, SSH into their sniffer machine, and get the logs that way.
>|
>| Physically secure the machines or don't think too hard about it. Stripping
>| the servers down to a CPU/RAM/HD and ethernet ports won't provide much
>| additional security.
>|
>|
>
>
>
>
>
>
>
>
I meant that the attacker can SSH into their seperate sniffing machine.
The VPN setup helps as lot, but still doesn't protect you. Once the
attacker figures out that you are running a VPN, they can just crash (or
steal) your system.
Worse, they can steal your hard drive. Even assuming you've encrypted
important stuff, this is still a big enough issue to force you to re-do
everything (how long will you encryption be good for, until it can be
easily broken? 1 year? 10 years?).
With physical access to the machine reasonably possible, you have to
make the assumption that any attacker can gain control of your system,
if they are willing to break and enter to do so.
You need to think about what else at these locations is not secured, and
their relative value. Also consider how many strangers wander these
buildings, or is it the same old people all the time.
If there are things of greater business importance than your firewall
not secured, I think its an organizational problem. If only your
firewalls are in unlocked closets, it sounds like you need some good ol'
physical access control. A nice lock, alarm system, and webcam would
probably take far less time to setup, and be less dangerous to your
network, than disabling everything on your firewall machines. ;-)
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Rick Meyer: "RE: How can disable keyboard/unused ports?"
- Maybe in reply to: ryan: "fedora-list@redhat.com"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
