On Mon, 27 Sep 2004, Chris Buechler wrote:
> On Mon, 20 Sep 2004 10:44:06 -0400, Chet Harvey <chet at pittech dot com> wrote:
> > On the console password issue, I agree with Manuel. If someone has access to
> > your firewall to do bad things, you have bigger problems. Also it's not like
> > the user thru the serial interface can change rules. All they can do is
> > add/delete interfaces and change IP's. If you want to disrupt service, just
> > unplug it.
> > Not something a "hacker" would be too interested in anyway.
> > Rule change would be the badguys biggest thing. Any sys admin worth his/her
> > salary would certainly notice the addition of an interface.
> I certainly agree that if someone has physical access to your firewall
> you have more problems than an open console (read: get some physical
> security!), but there are certainly situations where people would want
> to do it. Especially since you can reset the webGUI password, and it
> would probably take the admins a while to realize (who logs into their
> production firewall every day? Not many)
It should also be noted that the assumption that console access ==
physical access isn't necessarily true, partcularly with a serial console
that might not be in the same room (or even the same floor) as the