SLUG Mailing List Archives
Re: [SLUG] Firewall security audit report
- To: Crossfire <xfire@xxxxxxxx>
- Subject: Re: [SLUG] Firewall security audit report
- From: Umar Goldeli <umar@xxxxxxxxxxxxxx>
- Date: Wed Feb 28 10:15:02 2001
- Cc: Howard Lowndes <lannet@xxxxxxxxxxxxx>, chesty <chesty@xxxxxxxxxx>, SLUG Mailing list <slug@xxxxxxxxxxx>
> I concurr with Howard - but their suggestion is legitimate - but for a
> different reason. PasswordAuthentication means you're relying upon
> users to pick sensible passwords. Its actually best to make sure
> nobody but your administrators have access to your firewall systems
Unfortunately, nothing can fix this, PKI or Password Auth, both require
passphrases/passwords.. nothing can substitute good education. At least
with PKI - the damn key has to be on the box and the attacker has to
posses the private key before (s)he can start brute forcing.
> It adds no real security IMO. It just makes things a little more
> awkward, both for admins and for people breaking in - but it doesn't
> grant you any great gains.
It does. See previous post. You are assuming initial root access.
> Security through obscurity. Bleh. Get lost. Obscurity doesn't gain
> any security.
It does. Especially whne you consider that most of your attackers are
going to be 7337 script kiddies.
Imagine a script kiddy on a box with no commands to run except for the
shell built ins and no man pages in a chroot environment..
> Removing binaries just means the attackers have to get them in via
> some other means.
Indeed. You're buying time. Time is good. If your attacker can't readily
telnet, ftp, ssh, scp, rcp, wget, lynx etc - he's going to have to try
much harder. And what also happens if there's no compiler on the box? And
better yet, your border router acls do not allow connections ORIGINATING
from your firewall outbound?
> Better yet... Shut down *ALL* listening services. Log to a remote
> system behind your firewall, make sure you can only log into the
> console, etc. The best way to protect a system is with the minimum
> footprint approach. You can't compromise a service that just isn't
Agreed throughly about the turn of all listening services bit. :)
And those services which are listening - bind them to specific IP addreses
(preferably on the "inside") and make sure they're running non-priv.
As for logging - the safest way to keep logs is to have a serial printer
attached to your console and dumpit all on to paper and focus on physical
secrity of the box. Do what the military does... not veyr practical, but
once written, your logs are there forever. ;)