[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-ipchains
Subject:    [Ipchains] Re: [Ipchains] Greetings, Hacker, WatchGuard, IPChains
From:       Sandy Harris <sandy.harris () sympatico ! ca>
Date:       1999-06-27 22:15:43
[Download RAW message or body]

Thomas Gray - AugSoft wrote:

Fascinating post. Thanks.
 
> PS: It would be good to have a way to "compile" a recipie (shell-script)
> of ipchains (or iptables) commands (kind of like ipchains-store) with
> the results being an encrypted binary image that gets loaded into the
> kernel-space on the firewall computer. This gives us the option of only
> storing the binary-image on the firewall computer, rather than the
> human-understandable commands.

I'm not sure that does much good.

If the firewall's not compromised, it doesn't matter. Attacker can't read
rule files anyway.

If firewall is compromised, attacker can get binary form. It is clear
that figuring that out will be more work than just reading rule files,
but not clear that it would actually be hard, or that the process couldn't
be neatly automated. I think any security there is illusory, unless you go
all the way and encrypt the rules.

Encrypting the rules brings in more complications, more overhead, and more
problems. e.g. How do you store the key? I'm not at all sure that would be
a good idea either.

Would it be useful to add a feature that prevents an attacker altering
the rules? Something like "ipchains --lock", after which various ipchains
features become unavailable until next reboot?

----------------------------------------------
To unsubscribe to this list, write an email to
ipchains-request@rustcorp.com with a body of
'unsubscribe'.

www.rustcorp.com - web site
ftp.rustcorp.com - ftp site

Mail Archives:
http://www.starshadow.com/pipermail/ipchains
http://www.progressive-comp.com/Lists/?l=linux-ipchains&r=1&w=2#linux-ipchains
----------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]