[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Philosophical Question: Inheriting a Firewall

I'm all for the complete rebuild option if you have anything valuable at 
stake and don't trust the former admin.  There are lots of nasty things he 
could do...for example, all the firewall code and everything on the system 
could actually be safe and correct except for the gcc program which also 
operates as expected whenever you compile something.  However the gcc 
program might have a little bit of trojan'ed code compiled in it which will 
detect when you are compiling the firewall and insert a backdoor at that 
time.  So the old administrator won't be able to get in until next time you 
recompile the firewall or some other equally important peice of software, 
but the point is that at some future time root access may be his 
again.  Now I guess you could compare gcc with a known gcc, but who is to 
say that 'diff' is also not slightly altered to report that a compare of 
gcc with the real gcc should report no differences as well as a compare of 
the compromised diff with a real diff.  Now of course you could compile a 
new diff and use that compare, but the compromised gcc may compile your new 
diff into a compromised diff.  You could copy over a precompiled diff, but 
how do you get it over, ftp or lynx?  Are you sure those are 
trustworthy?  If so, how do you know, because you compiled them fresh with 
a questionable gcc or because you compared them using a questionable 
diff?  Or did you just check the file size with a questionable ls?  It's 
all about whether you think you can outsmart all his past attempts or 
whether he had the knowledge to know what you would try and then outsmart 
it or whether he just got a 'kit' from someone who developed such a thing 
and then installed it, in which case now you not only have to worry about 
him getting in, but also the developer of the 'kit'...

Just to add to the paranoia...probably didn't help much...but i think wipe 
and reinstall is better if you choose not to completely trust the former admin.

Thanks,
Thomas.

At 08:38 AM 12/10/00, you wrote:
>Now... Let's assume they are running OpenBSD for their firewall,
>though really, this is probably a general firewall question.  Is there
>any realistic way to lock down the firewall without rebuilding it
>completely from scratch?