[ previous ] [ next ] [ threads ]
 
 From:  Sharif Nassar <m0n0wall dash list at mrwacky dot com>
 To:  Hilton Travis <Hilton at QuarkAV dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall feature request
 Date:  Fri, 23 Jan 2004 16:20:22 -0800 (PST)
(Re: console access) 

I think it makes perfect sense to place that little extra hurdle to 
accessing via the console.  If anything else, it prevents me from doing 
something really boneheaded by mistake.

-s

On Sat, 24 Jan 2004, Hilton Travis wrote:

> On Sat, 2004-01-24 at 01:17, Manuel Kasper wrote:
> > EXT dash Mike dot Bradshaw at nokia dot com wrote:
> > > if someone has physical access to your Firewall console you are 
> > > pretty much screwed right there. a simple console login is *SO* easy
> > > to defeat that it just not funny (if you have physical access)
> > 
> > That is my point of view as well, but as this has come up enough times
> > to get me bored, I'll just add a checkbox to the advanced setup page
> > that allows you to disable the console menu altogether. I'm not going to
> > bother about adding a login, though. The console menu is superfluous
> > after initial setup anyway because the interfaces can now be assigned
> > via the webGUI too. Of course if you forget the password you're in for a
> > "hard reset", but isn't that what you do with commercial firewall boxes
> > too...
> 
> I totally agree that if someone has physical access, it is time to say
> goodnight.  However, with m0n0wall system that are based on regular
> computer hardware, not those rather nice looking Soekris boards, then
> seeing a logged in console on a security device is aking to using telnet
> to access one (a la Cisco - that's a joke).
> 
> If you add this option to disable the console menu, this will most
> definitely do the trick - stop the "appearance" of an insecure device
> because of a permanently logged in user.  As I originally mentioned, "it
> doesn't appear secure when it is constantly sitting there on a logged in
> account".  The actual security is not *really* affected, just the
> "appearance" of the security.  And that's what tends to matter to
> Sysadmins when demonstrating things to suits - as suits have so limited
> a technical comprehension they often cannot work out the difference
> between their telephone handset and their laptop.  But they can
> determine the difference between a logged in system, and a system
> sitting at a login prompt.