Date: Fri, 06 Oct 2000 06:28:33 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Carroll Kong <damascus@home.com> Cc: dima@unixfreak.org, "Jeffrey J. Mountin" <jeff-ml@mountin.net>, security@FreeBSD.ORG Subject: Re: BSD chpass (fwd) Message-ID: <200010061328.e96DSkN45703@cwsys.cwsent.com> In-Reply-To: Your message of "Thu, 05 Oct 2000 09:12:05 CDT." <4.2.2.20001005090906.0639d560@email.eden.rutgers.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <4.2.2.20001005090906.0639d560@email.eden.rutgers.edu>, Carroll Kong writes: > Not sure if this is just extending the problem, but if it is going to be a > reboot box, why not create a special freebsd box that uses an octopus > 8-serial port card (for multiple machines) and null modem cables to hook > into these "secured" boxes. Naturally we would have to treat this box as a > hardened box as well. (running only sshd and firewalled and cannot accept > console logging requests). > > I have heard (ok, sorry I did not test it yet), that the Boot Loader will > automatically call up the serial port -> console drivers. So this way you > COULD call a reboot and go into single user mode from your special freebsd > console box by using minicom! > > If the most part of the annoyance is physical access, it is somewhat > eliminated by my console idea. Passwords would be secured over the serial > port (clear text, but no where to broadcast to), unless someone was > physically tapping, but if he got that far to tap, you are dead meat > anyway. I should get a null modem in my house to test for the "bootloader > showing up in console" bit. If you REALLY want full console access like to > the BIOS, there is the netweasel. > > So what do you think? Please respond if there are any flaws in this idea? We currently do a form of this on our raised floor, except that the console server does allow console logins -- the purpose of this box is twofold, remote access to the console via encrypted Kerberos sessions and the reduction of consoles littering our computer room. In our Vancouver datacentre we will be implementing, on 14 OCT, a similar arrangement but we will have two console servers, one Sun and one FreeBSD (for infrastructure boxes we scrape together whatever we can), both of which will serve each other as console servers, reducing our need to travel to Vancouver to possibly twice a year (hopefully). Physical access will be severely limited. As for hardware and software we use conserver (also in ports) and Cyclades cards in our FreeBSD and Linux console servers and Aurora cards in our Solaris console servers. The console servers use IPF for firewalls and only allow a subset of Kerberos services not running on the ports assigned to Kerberos. Solaris upgrades are currently done by jumpstart and FreeBSD upgrades would be done using make buildworld, so no CDROMS would need to be loaded local to the machine being upgraded. I haven't heard of netweasel before. Where can I find out more about it? Our original thoughts on BIOS access were to have a contractor on call for situations that would require physical access to the box, e.g. hit the power switch, BIOS access to the FreeBSD console server, or to escort a CE into the room. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010061328.e96DSkN45703>