comp@toddh.net (Todd H.) writes:

> Randy Yates <yates@ieee.org> writes:
>
>> Folks,
>>
>> Forgive the OT nature, but I'm dying to bounce this off of some
>> reputable and knowledgable people in security, and I think this
>> group is rich in such members.
>>
>> The problem of being owned, hacked, kiddied, yada-yada-yada is
>> so common nowadays I was thinking of ways to at least detect
>> such situations and came up with this.
>>
>> Create a separate physical device that monitors the TCPIP traffic that
>> provides a physical display of suspected security problems. This
>> device would not communicate over the network - its configuration and
>> monitoring would be done physically - so it couldn't be hacked.
>>
>> So, e.g., the device could be hooked on your outgoing cable modem
>> connection, hanging in your upstairs room by the cable. It could
>> sound an audible alarm and have a display of suspicious traffic.
>> It could even have a configurable mode that automatically blocked
>> such traffic.
>>
>> What do you think? Are there such devices already out there?
>
> Sorta. They're called IDS or IPS boxes. Intrusion
> detection/prevention. Snort is the free IDS that's wildly popular and
> scary good. This is considered NIDS, or network based IDS. There
> are also HIDS or host-based IDS systems that live on end point
> machines. They provide complimentary protection. The device you've
> invented is a passive NIDS devices.
>
> http://www.sans.org/resources/idfaq/
>
>
> This is pretty cool--a snort virtual appliance available free from
> vmware for vmware player:
> http://www.vmware.com/vmtn/appliances/directory/185
>
>
> --
> Todd H.
> http://www.toddh.net/

Todd et al.,

Here's another idea for bolstering security. From my infantile
understanding of root kits, they "infect" either the tools
used to detect security problems (ps, lsof, etc.) or the
operating system kernel itself, or both.

If the key components of at least the kernel could be burned
into read-only memory, then there would always be some basic
kernel-level utilities that could be guaranteed to never get
owned.

Of course the kernel memory wouldn't really have to be
read-only - updating of the memory, such as when installing
an OS, could be controlled physically.

I'm just tired of these assholes gunning for my machine,
and frankly I think I'm smarter than they are. After all,
I have PHYSICAL access to the machine - they don't!
--
% Randy Yates % "Midnight, on the water...
%% Fuquay-Varina, NC % I saw... the ocean's daughter."
%%% 919-577-9882 % 'Can't Get It Out Of My Head'
%%%% <yates@ieee.org> % *El Dorado*, Electric Light Orchestra
http://home.earthlink.net/~yatescr

Randy Yates <yates@ieee.org> writes:

> Todd et al.,
>
> Here's another idea for bolstering security. From my infantile
> understanding of root kits, they "infect" either the tools
> used to detect security problems (ps, lsof, etc.) or the
> operating system kernel itself, or both.
>
> If the key components of at least the kernel could be burned
> into read-only memory, then there would always be some basic
> kernel-level utilities that could be guaranteed to never get
> owned.

Yup. Soekris sells cool little boxes where the the OS goes onto flash
memory. Or you can run off a CD on some distros of firewalls that
include this stuff.

> I'm just tired of these assholes gunning for my machine,
> and frankly I think I'm smarter than they are. After all,
> I have PHYSICAL access to the machine - they don't!

Randy, openbsd may just be your OS. :-)

--
Todd H.
http://www.toddh.net/

Todd H. wrote:

> Randy Yates <yates@ieee.org> writes:
>
>> Todd et al.,
>>
>> Here's another idea for bolstering security. From my infantile
>> understanding of root kits, they "infect" either the tools
>> used to detect security problems (ps, lsof, etc.) or the
>> operating system kernel itself, or both.
>>
>> If the key components of at least the kernel could be burned
>> into read-only memory, then there would always be some basic
>> kernel-level utilities that could be guaranteed to never get
>> owned.
>
> Yup. Soekris sells cool little boxes where the the OS goes onto flash
> memory.

This wont you - the kernel is loaded into plain ram for execution.

> Or you can run off a CD on some distros of firewalls that include this
> stuff.

STILL wont you. It will ensure that a reboot gives you a clean system,
though (but that's really not much when your firewall has been pwned,
now is it? ;-)

--
| Christian Iversen | True, true, true. Except for the lies. |
| chrivers@iversen-net.dk | |

Todd H. wrote:

> Randy Yates <yates@ieee.org> writes:
>
> > Todd et al.,
> >
> > Here's another idea for bolstering security. From my infantile
> > understanding of root kits, they "infect" either the tools
> > used to detect security problems (ps, lsof, etc.) or the
> > operating system kernel itself, or both.
> >
> > If the key components of at least the kernel could be burned
> > into read-only memory, then there would always be some basic
> > kernel-level utilities that could be guaranteed to never get
> > owned.
>
> Yup. Soekris sells cool little boxes where the the OS goes onto flash
> memory. Or you can run off a CD on some distros of firewalls that
> include this stuff.

The CD based distributions are exactly right for this: so are some of
the network installed OS's. There are difficulties.

1: How can you upgrade or modify them locally, for normal system
reasons such as storing log files? Static filesystems have to store
information *somewhere*, and it can easily eat up available RAM to do
this on a CD-based system. A network based OS, or a local OS image with
/var set up as local disk for logs, can relieve this problem, but
it's still an issue to address.

2: Nailing down the OS this way often eliminates traces of successful
attacks for later analysis, much as hosing down a car crash scene can
eliminate the traces of blood and bits of broken windshield or tire
tracks that would reveal events. These may not be worth keeping for
some systems, such as external firewalls with limited capabilities
anyway.

3: Loading kernels from other than the boot media, with its copy of the
bootable kernel with its device drivers to talk to the hardware with
the OS and any dynamic libraries on it, is difficult. There are real
trade-offs in limiting the power of the kernel to the bare minimum and
turning off loadable modules for security, vs. performance and
management of the kernel to accomodate potential hardware.

Locked down these bits have real advantages for security, but the loss
of flexibility has a very real cost. This is true for SSH specific
configurations as much as for kernels and entire OS's. Much of the
desirable fine-grained control is now available with tools like
SELinux, and will hopefully be available as part of the "Trusted
Computing" toolkits, but that's going to take a lot of development to
implement properly, especially for open source tools like SSH where the
authors do not necessarily have the money to spend on Trusted Computing
authorization keys.

comp@toddh.net (Todd H.) writes:
> [...]
> Randy, openbsd may just be your OS. :-)

Are you referring to their virtual machine capability? So
that if a virtual machine gets owned, who cares - just
shut it down?
--
% Randy Yates % "She's sweet on Wagner-I think she'd die for Beethoven.
%% Fuquay-Varina, NC % She love the way Puccini lays down a tune, and
%%% 919-577-9882 % Verdi's always creepin' from her room."
%%%% <yates@ieee.org> % "Rockaria", *A New World Record*, ELO
http://home.earthlink.net/~yatescr

Randy Yates <yates@ieee.org> writes:

> comp@toddh.net (Todd H.) writes:
> > [...]
> > Randy, openbsd may just be your OS. :-)
>
> Are you referring to their virtual machine capability? So
> that if a virtual machine gets owned, who cares - just
> shut it down?

OpenBSD has the strongest security record of almost any OS. If you
wanna be careful, you go with OpenBSD. There's a laundry list of
features it has that other OS's don't.

--
Todd H.
http://www.toddh.net/

Todd H. wrote:

> Randy Yates <yates@ieee.org> writes:
>
> > comp@toddh.net (Todd H.) writes:
> > > [...]
> > > Randy, openbsd may just be your OS. :-)
> >
> > Are you referring to their virtual machine capability? So
> > that if a virtual machine gets owned, who cares - just
> > shut it down?
>
> OpenBSD has the strongest security record of almost any OS. If you
> wanna be careful, you go with OpenBSD. There's a laundry list of
> features it has that other OS's don't.

There's a much larger laundry list of software that's useful but
unlikely to ever be supported on it: this includes numerous hardware
drivers.

OpenSSH is the shining example of a tool from OpenBSD that sets a
standard of excellence, but I can't think of any others that I
personally use for anything.

"Nico" <nkadel@gmail.com> writes:

> Todd H. wrote:
>
> > Randy Yates <yates@ieee.org> writes:
> >
> > > comp@toddh.net (Todd H.) writes:
> > > > [...]
> > > > Randy, openbsd may just be your OS. :-)
> > >
> > > Are you referring to their virtual machine capability? So
> > > that if a virtual machine gets owned, who cares - just
> > > shut it down?
> >
> > OpenBSD has the strongest security record of almost any OS. If you
> > wanna be careful, you go with OpenBSD. There's a laundry list of
> > features it has that other OS's don't.
>
> There's a much larger laundry list of software that's useful but
> unlikely to ever be supported on it: this includes numerous hardware
> drivers.
>
> OpenSSH is the shining example of a tool from OpenBSD that sets a
> standard of excellence, but I can't think of any others that I
> personally use for anything.

Randy and I were bantering about appliances for perimeter protection.
And for that OpenBSD is an excellent choice.

Not a great choice for a desktop OS certainly.

--
Todd H.
http://www.toddh.net/