Re: comp34.tgz necessary on a firewall?

[Chris Kuethe <ckuethe@ualberta.ca>]

On Sat, 1 Nov 2003, Nick Holland wrote:

> Granted, if you build a custom system so you can pack your entire
> firewall into a flash module, flip a "read-only" switch on the module
> (note that little switch on the SD flash modules?  Wonder how well
> that works 8-), so the only writeable partitions are non-exec and the
> exec partitions are HW not writable, you *might* achieve a theoretical
> benefit by not having a compiler on the system.  Now you got to decide
> if the time required to build and rebuild such a system is worth the
> effort (that SD flash module with its seemingly HW write-protect is
> still sitting in my drawer).

I have a USB flash drive with said write-protect switch. It works well.
Just make sure you don't have mfs or ramdisk in your kernel so that an
attacker can't write anywhere... that of course makes other ugly hacks
necessary (logging, ptys, configuration).

I leave my flash mounted ro to save write cycles. I do use the write
protect on my usb disk though; makes a convenient quick backup, and
doubly so when I can flip a switch that mostly guarantees I won't be
able to kill the filesystem.

CK

-- 
Chris Kuethe, GCIA CISSP: Secure Systems Specialist - U of A CNS
      office: 157 General Services Bldg.    +1.780.492.8135
              chris.kuethe@[pyxis.cns.]ualberta.ca

     GDB has a 'break' feature; why doesn't it have 'fix' too?