[ previous ] [ next ] [ threads ]
 
 From:  "Michael A. Alderete" <lists dash 2003 at alderete dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] console access (was "m0n0wall feature request"
 Date:  Fri, 23 Jan 2004 17:36:51 -0800
>> > > if someone has physical access to your Firewall console you are
>> > > pretty much screwed right there. a simple console login is *SO* easy
>> > > to defeat that it just not funny (if you have physical access)
>> >
>> > That is my point of view as well, but as this has come up enough times
>> > to get me bored, I'll just add a checkbox to the advanced setup page
>> > that allows you to disable the console menu altogether. I'm not going to
>> > bother about adding a login, though. The console menu is superfluous
>> > after initial setup anyway because the interfaces can now be assigned
>> > via the webGUI too. Of course if you forget the password you're in for a
>> > "hard reset", but isn't that what you do with commercial firewall boxes
>> > too...
>>
>> I totally agree that if someone has physical access, it is time to say
>> goodnight.  However, with m0n0wall system that are based on regular
>> computer hardware, not those rather nice looking Soekris boards, then
>> seeing a logged in console on a security device is aking to using telnet
>> to access one (a la Cisco - that's a joke).

I'll just add my two cents:

(This is only if you're actually changing current behavior, which I have no
problem with.)

I'm more worried about my cats walking on the keyboard of the console
machine than I am about true security at the console. If there was a way to
lock and unlock the console to keyboard input, that would be enough for me.

The way I see it, you could both lock and unlock from the webGUI, but only
lock it from the console. When locked, the console could say "Console is
LOCKED. Unlock via webGUI."

The console should unlock when you reboot. (My preference, I can appreciate
other points of view.)

Now all you have to do is keep the pointy haired bosses from rebooting, by
telling them they'll shut off the Internet. ;-)

Michael
-- 

_____________________________________________________________
Michael A. Alderete           <mailto:lists dash 2003 at alderete dot com>
                                     <http://www.alderete.com>