[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Pinch me...

Brian Fahrlander <kilroy kamakiriad com> wrote:

Just to ensure we're all on the same page here, I have five machines
behind a firewall with trusted users...my daughters, Mom, and me.  At th
school this won't be the case: hackers come from schools...it could be
just as vulnerable from the inside, as out.  :(

This is where you fall back on the NSA-endorsed concept of "Defense in
Depth". In govt. security circles, that means you construct what are called
"enclaves", within which all machines run at a similar level of trust, and
you have a filtering firewall (or proxy or gatekeeper) between the enclave
and the rest of your intranet. Firewalls within firewalls, in other words,
just like the concentric moats and keeps of a mediaeval (sp?) castle. If
your budget allows it, then use an actual firewall box and physically
separate LAN segments; if not, then compromise accordingly and fall back to
VLANs, or fall back further to firewall rules on the individual host.

It's worth bearing in mind, though, that a lot of the fear of X compromises
date back to the days when X was run with weak or non-existent
authentication - like when users would type "xhost +" to allow easy access
from hosts that they had rsh'ed into (usually via a weak /etc/hosts.equiv
file, too). For example, in the book "Hacking Exposed", the authors give a
frightening example of using the xscan utility:

[tsunami]$ xscan quake
Scanning hostname quake ...
Connecting to quake ( on port 6000...
Host quake is running X.
Starting keyboard logginf of host quake:0.0 to file KEYLOGquake:0.0...

Well, sure - but that example goes back to 1996, and we've moved on a bit
since then (see http://bbs.ee.ntu.edu.tw/boards/Linux/12/4/1.html for the
original documentation on this). The fact that SSH makes X forwarding so
easy has helped a lot.

NFS is a slightly different matter. In and of itself, NFS doesn't provide
much in the way of access controls - it's dependent on the underlying
mechanism of the OS. If it's well set up, then I'd say you're probably OK,
and the risk is acceptable, *as long as the system is administered
correctly*. (Again, "Hacking Exposed" sets up a straw man argument - a
system on which / is exported rw for everyone. Well, duh). However, if you
want to control that risk, you can use alternatives: Samba or AFS come
immediately to mind.

One Question: I'm pretty seasoned in Linux, but I don't hack the
kernel...I've read the RHCE 'training manual' and aced it. How'd you
managed to get your RHCE? Aren't they something like $2K, and take a few
days to take?  What's the recent story on the certification?  I'd really
like to get one, too...

Ah. .  Well, I'm a bit of an unusual case. I teach Linux and security
courses for a certain three-letter-acronym computer manufacturer, as well
as other clients. So, it's useful to me to know what my students will be
going through. In January this year, Red Hat offered a special deal on the
RHCE exam for just $A300.00 (about $US160 at the time), and at that price,
I couldn't really come up with any excuses not to take it. But if they were
charging full price ($A900.00) I wouldn't have done it.

It's a one-day test, in three sections: first, problem resolution, in which
you are given a system with various things broken (usually it won't boot
correctly) and you have to fix that. Then the examiner breaks it again, and
you find some more faults. Part Two is a multiple-choice one-hour exam,
done via a browser interface. Part Three is to build a server to a two-page
written spec. You have to install RH 8 (maybe 9 by now), with the
appropriate daemons (and X is just a waste of time at this point!), and get
everything configured with appropriate user accounts and access rules. This
is the toughest part - I flew through the first two sections, but I used
almost the full time on this section.

I actually (and probably somewhat perversely, in the view of some of the
other test-takers) quite enjoyed the test, and it sounds like you would,
too. But then, I've installed RH scores of times, and watched over the
shoulders of hundreds of students as they find ever-more-bizarre ways of
screwing it up, then helped them fix it. See
http://www.redhat.com/training/ for further details on RH training (you
don't have to do their training to take the test, btw).

If the RHCE is too pricey, then why not tackle the LPI (http://www.lpi.org)
Level 1 and 2 exams? Just two exams for LPI Level 1 certification, and it's
distro-independent. Their approach is very good, and the cert is also
highly regarded.


--- Les Bell, RHCE, CISSP

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]