[ previous ] [ next ] [ threads ]
 From:  Sharif Nassar <m0n0wall dash list at mrwacky dot com>
 To:  Hilton Travis <Hilton at QuarkAV dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall feature request
 Date:  Fri, 23 Jan 2004 16:20:22 -0800 (PST)
(Re: console access) 

I think it makes perfect sense to place that little extra hurdle to 
accessing via the console.  If anything else, it prevents me from doing 
something really boneheaded by mistake.


On Sat, 24 Jan 2004, Hilton Travis wrote:

> On Sat, 2004-01-24 at 01:17, Manuel Kasper wrote:
> > EXT dash Mike dot Bradshaw at nokia dot com wrote:
> > > if someone has physical access to your Firewall console you are 
> > > pretty much screwed right there. a simple console login is *SO* easy
> > > to defeat that it just not funny (if you have physical access)
> > 
> > That is my point of view as well, but as this has come up enough times
> > to get me bored, I'll just add a checkbox to the advanced setup page
> > that allows you to disable the console menu altogether. I'm not going to
> > bother about adding a login, though. The console menu is superfluous
> > after initial setup anyway because the interfaces can now be assigned
> > via the webGUI too. Of course if you forget the password you're in for a
> > "hard reset", but isn't that what you do with commercial firewall boxes
> > too...
> I totally agree that if someone has physical access, it is time to say
> goodnight.  However, with m0n0wall system that are based on regular
> computer hardware, not those rather nice looking Soekris boards, then
> seeing a logged in console on a security device is aking to using telnet
> to access one (a la Cisco - that's a joke).
> If you add this option to disable the console menu, this will most
> definitely do the trick - stop the "appearance" of an insecure device
> because of a permanently logged in user.  As I originally mentioned, "it
> doesn't appear secure when it is constantly sitting there on a logged in
> account".  The actual security is not *really* affected, just the
> "appearance" of the security.  And that's what tends to matter to
> Sysadmins when demonstrating things to suits - as suits have so limited
> a technical comprehension they often cannot work out the difference
> between their telephone handset and their laptop.  But they can
> determine the difference between a logged in system, and a system
> sitting at a login prompt.