[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Philosophical Question: Inheriting a Firewall



Rebuilding is the only way to be sure.As a previous poster mentioned, use sudo on
the new box, log everything, etc. One way to mitigate the time involved in these
kind of 'lock-downs' is a server image. Simply, once you get the machine up and
working, with all the appropriate firewall rules, etc.,  image the machine with
some sort of disk image tool. Next time you can just wipe and re-image the system.
It's a great timesaver. I'm a big fan of Image Cast.

Rob

Thomas DeMartini wrote:

> I'm all for the complete rebuild option if you have anything valuable at
> stake and don't trust the former admin.  There are lots of nasty things he
> could do...for example, all the firewall code and everything on the system
> could actually be safe and correct except for the gcc program which also
> operates as expected whenever you compile something.  However the gcc
> program might have a little bit of trojan'ed code compiled in it which will
> detect when you are compiling the firewall and insert a backdoor at that
> time.  So the old administrator won't be able to get in until next time you
> recompile the firewall or some other equally important peice of software,
> but the point is that at some future time root access may be his
> again.  Now I guess you could compare gcc with a known gcc, but who is to
> say that 'diff' is also not slightly altered to report that a compare of
> gcc with the real gcc should report no differences as well as a compare of
> the compromised diff with a real diff.  Now of course you could compile a
> new diff and use that compare, but the compromised gcc may compile your new
> diff into a compromised diff.  You could copy over a precompiled diff, but
> how do you get it over, ftp or lynx?  Are you sure those are
> trustworthy?  If so, how do you know, because you compiled them fresh with
> a questionable gcc or because you compared them using a questionable
> diff?  Or did you just check the file size with a questionable ls?  It's
> all about whether you think you can outsmart all his past attempts or
> whether he had the knowledge to know what you would try and then outsmart
> it or whether he just got a 'kit' from someone who developed such a thing
> and then installed it, in which case now you not only have to worry about
> him getting in, but also the developer of the 'kit'...
>
> Just to add to the paranoia...probably didn't help much...but i think wipe
> and reinstall is better if you choose not to completely trust the former admin.
>
> Thanks,
> Thomas.
>
> At 08:38 AM 12/10/00, you wrote:
> >Now... Let's assume they are running OpenBSD for their firewall,
> >though really, this is probably a general firewall question.  Is there
> >any realistic way to lock down the firewall without rebuilding it
> >completely from scratch?

--
Rob Hines Jr.
System Administrator





Visit your host, monkey.org