[ale] Linux OS to CD (Firewall)

Transam transam at cavu.com
Thu Apr 18 23:18:10 EDT 2002 

> On Fri, 12 Apr 2002 sangell at nan.net wrote:

> > Anyone out there have any experience in converting a Linux OS from a Hard
> > Drive to a CD?

> It's not that difficult -- the easy way is to mount a ramdisk as /, and then
> you don't even have to deal w/ issues like /etc needing to be writable.  
> I've done firewalls and web servers that way....

The technique for a bootable CD is documented in the CD Burning HOWTOs, etc.
If I recall the first file on the CD should be the image of a bootable
floppy.  Creating a custom root floppy for the same purpose is documented
in Real World Linux Security and the floppy can be set Read/Only.  There
is enough space on the root floppy for Firewall code without much effort.

> > I have been setting up several firewalls the last few days
> > based on Smoothwall Linux. I finally have them the way I want and was
> > thinking about the possibility of migrating the OS from the hard drive to a
> > CD. Since the entire setup is under 100 Meg it would easily fit on a cd.
> > There is another distro built on this basis, Devil Linux I believe is the
> > name.

The hard part about building a Firewall is the proper rule set.  A good
Cracker (or White Hat such as Mike Warfield or myself) can penetrate most
people's Firewalls with minimal effort.  The danger of packages that make
it "easy" to build a Firewall without too much knowledge or thinking is that
holes may be left in the Firewall and one certainly does not know what it
really is doing and not doing.

Also, a Firewall is the start of network security, not the end of it.
Putting a Firewall in front of a IIS web server generally is not enough
and not picking good passwords is a major problem too.

> See also <http://www.sentryfirewall.com/> which is exactly what you're 
> wanting (firewall running off CD).  Looking at what they do and customizing 
> is probably the quickest way to get it going.  One potentially nice thing 
> about their system is that it's a CD - floppy combo (run off CD, read the 
> firewall config off of floppy), which is a little more convenient in some 
> cases than having to burn a new CD every time you want to modify the config.  
> And if you don't want that behavior, it's easy to modify to use a config 
> file on the CD instead....

I worry that the inconvenience of burning a new CD (evidenced by needing a
floppy to hold the configuration data and Trojans) will tend to discourage
you from making needed patches and tweaks that should be made.  Further,
you seem more concerned about conveniently recovering the Firewall after
a Cracker has broken into your Firewall without the bother rebuilding
a hard disk.

A Firewall, like a Surge Protector or UPS during a lightning strike, is
expendable.  It is what it is protecting that is not.  A single Firewall
breach likely will compromise many of the systems behind the Firewall and
in that case an update of the Firewall configuration probably will be in
order anyway.

One can mount the root file system of a hard disk-based system Read/Only,
protecting it against data alteration even from many root exploits
(kernel, insmod, /proc, and mknod exploits excepted).  Add a system call
to disable these from the running kernel will increase security as will
applying security patches in a timely fashion.

Besides, who reboots Firewalls.  One of Dow's Firewalls has been up for
245* days and another of his has been up for 166 days.  The third was taken
down just to clone its disk for another Firewall.  Another client's has been
up for the entire 119 days it has been installed.  Sure, we tweak the
software and rules and install patches but never have needed to reboot.
* Building power was shut down for a few hours for electrical work.

> > Also how would one handle virtual memory?

> Just don't have any -- you don't have to have swap, and your firewall should 
> never need to swap anyway.

> > As I am typing I am think about the logs as well. Hmmmm, how about booting
> > CD and mounting a small HD partition for swap and one for a log directory?

> You can do that, or you can keep the logs on ramdisk and copy them off
> periodically over the network, or you can setup a remote logging box behind
> the firewall and log to it.  Depends on your needs....  One advantage to not
> using a hard drive, though, is that you've then eliminated the primary
> hardware point of failure.

Hard disks are at least as reliable as floppies and CD drives, I suspect.  I
would expect five continuous years MTBF for decent hard disks.

> later,
> chris

Bob Toxen
transam at cavu.com                       [Bob's ALE Bulk email]
bob at verysecurelinux.com                [Please use for email to me]
http://www.verysecurelinux.com         [Network&Linux/Unix security consulting]

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list