Re: Linux Firewall on CD

[Paul Robertson <proberts () patriot net>]

On Fri, 11 Jul 2003, james mcdermott wrote:

> Would anyone be so kind as to help me find any documentations on how to 
> setup a linux firewall on a cd. This means, how do i create an image and put 
> it on cd. So if someone breaks thru the firewall they cannot install 
> software on it.... Thankx in advance....  James

Generally, attackers want to get past the firewall, not on to it- if the 
firewall is compromisable, then it's going to be game over, no matter if 
the disk is writable or not.  You'll have to have some writable storage 
for logs, mount points, device nodes...  Usually, CD bootable systems use 
a RAM Disk- so an attacker can easily keep things in memory, and the only 
thing you really gain is disinfection with a reboot- however you're still 
vulnerable to the original attack, so the gain from running off a CD is 
pretty negligable from a security perspective.

The only time I'd seriously consider using a "run off CD" system over 
another kind is the scenerio where the media was distributed to folks who 
I didn't want touching things, who had some level of access for 
operational reasons, then it'd be more to deter the enthusiastic than 
prevent the malicous.

Since you can network boot any *nix OS, it's probably better to spend time 
on actually removing unncessary code, rather than trying to get the boot 
media to be unwritable.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards