Menu
▾
▴
Re: [Devil-linux-develop] suggestions for 0.5 Beta CD layout
|
From: Friedrich L. <fl...@fl...> - 2001-09-15 12:12:47
|
Hi! Martin Mueller wrote: > > Well, most of them have a quite minimal setup, they are just NAT > boxes, that only allow ssh from the internal network ... so there > aren't any deamons to be out of date, and I know of no kernel-bug, > that allows a remote exploit except a DOS attack. Well in case that > happens, just hit the reset button and you're set. Yes, but that will not always be the same with devil-linux, because for more advanced systems Heiko planned to add some proxies, MTA, ... I will definitly be one to apply such systems. For example if one has got a mail server behind to firewall, the firewall has to accept SMTP connections and proxy/spool them to the internal server. So I think that we have to keep that in mind and designed Devil-Linux as secure as possible. > > I would suggest updating the CD _at least_ every 6 month. > > How about the CD-ROM drives themself, how long do the work flawlessly? > > If they only work for 1-2 year what's the cost of a new drive? Only about > > $47 / 100 DM / 700 ATS. That's _nothing_ compared to the costs when you're > > cracked. > > It's not the cost of a cdrom drive, or the CDROM, it's the maintenance > cost, to have someone change the drive for you and have a downtime. OK, then tell me from your experience how often did you have to change a CD-ROM drive in those 15 systems? > Most of the people I made the CDs for, have _no_ clue about hardware > or computers except using a webbrowser, and they're often a couple of > hundreds of kilometers away. So the onyl thing I can do for them is > send them a CD via mail, but they have to get the hardware serviced > themselves, which involves paying quite a lot for changing a CDROM. True, but if that happens in once in every 1-2 years(estimated) that a CD-ROM drive has to be replaced they should understand that it an implication of security. In the mean time you keep sending them updated CD's. They just reset the machine change the CD and the computer is starting up the new system. > > How? A descent firewall should be the point of attack not the systems > > behind it. Do you use ip-port-forwarding? > > Well, just NAT behind a single ip-address, no daemons, no other stuff. What kind of attacks did you get? The ones where one from the inside (eg. via link in a mail) could trick the Linux masquerading into opening ports for one machine to the outside? I you just use NAT then I can't think of anything else besides troyans and viruses, but that's another chapter. Maybe once, when we do virus scanning on the firewall we could take care of it. -- MfG / Regards Friedrich Lobenstock |
