[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] Re: [m0n0wall] Restriction Modifications
 Date:  Mon, 27 Sep 2004 02:02:57 -0400
On Mon, 20 Sep 2004 10:44:06 -0400, Chet Harvey <chet at pittech dot com> wrote:
> On the console password issue, I agree with Manuel. If someone has access to
> your firewall to do bad things, you have bigger problems. Also it's not like
> the user thru the serial interface can change rules. All they can do is
> add/delete interfaces and change IP's. If you want to disrupt service, just
> unplug it.
> 
> Not something a "hacker" would be too interested in anyway.
> 
> Rule change would be the badguys biggest thing. Any sys admin worth his/her
> salary would certainly notice the addition of an interface.
> 

I certainly agree that if someone has physical access to your firewall
you have more problems than an open console (read: get some physical
security!), but there are certainly situations where people would want
to do it.  Especially since you can reset the webGUI password, and it
would probably take the admins a while to realize (who logs into their
production firewall every day?  Not many)

But the original person requesting this didn't explain his need for
having it.  This is required for ICSA certification, and that person
is working on a project for a government agency or something of the
like that requires all firewall products to be ICSA certified.  Not an
uncommon requirement in those types of environments.  I won't discuss
the validity of the ICSA nor the products that have "passed"
inspection with holes you could drive a truck through.  :)  That's
beside the point.

The person who submitted the console lock down patch (I believe it was
that person, I don't remember all the details, sorry) was in #m0n0wall
on IRC a few days ago talking about getting m0n0wall ICSA certified. 
The money to get the certification and maintain it would be available
through the project he's currently working on (mentioned above).  And
that's the reason for that patch.

With the console open, it would fail this specific ICSA objective:
ST1 – Administrative Access Testing – The Candidate Firewall Product
must demonstrate through testing that no unauthorized control of its
Administrative Functions can be obtained.

m0n0wall would be the only non-commercial ICSA certified firewall if
the project that's considering paying for it worked out.  I think it
would be great for the project, give it some 3rd party credibility. 
It's not cheap though, at about $25K USD per year to maintain
certification.

I was working with a startup firewall company that was looking into
the ICSA and was testing against their criteria, so I have a good
understanding of it.  The criteria docs are available on
www.icsalabs.com, though scattered about and a little difficult to
find.  I threw them up on my website if anybody is interested in
taking a look.  http://chrisbuechler.com/m0n0wall/icsa/

-Chris