[SLUG] Re: CD-Based Firewall

From: Bryan J. Smith (b.j.smith@ieee.org)
Date: Sat Nov 06 2004 - 11:36:31 EST

Next message: Bryan J. Smith: "[SLUG] Re: CD-Based Firewall -- logs and auditing"
Previous message: Paul M Foster: "Re: [SLUG] Re: CD-Based Firewall -- logs and auditing"
In reply to: Paul M Foster: "Re: [SLUG] CD-Based Firewall"
Next in thread: Chuck Hast: "Re: [SLUG] Re: CD-Based Firewall"
Reply: Chuck Hast: "Re: [SLUG] Re: CD-Based Firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Sat, 2004-11-06 at 10:15, Paul M Foster wrote:
> No, I have plenty of old hardware. But I consider a read-only media for
> a firewall a good thing.

And I can appreciate that belief. And in such cases, you should send
your real-time logs to another system for storage and further analysis.

> Plus, constantly rotating hard drive spindles are an open invitation to
> hardware failure.

First off, optical WORM (CD-R, DVD-R) failure rates are _much_higher_.
MO (CD-RW, DVD-RW, DVD+R/RW, even when mounted read-only) is even worse
(10,000x over).

Secondly, you _could_ use power savings so the hard drive isn't used
when logging is minimal, setting your buffers higher so more is cached.
Of course, that kinda hurts the whole "real-time" logging.

But in the end, with software RAID and low-cost 3Ware Escalade
ASIC-driven ATA RAID cards, I typically put (2) HDs in _any_ system I
build anymore -- even desktops and SOHO network appliances.

> A rarely rotating floppy works, but floppy media degrade,

Again, CD-R WORM media can degrade faster than a sealed, magnetic disc.
It all depends.

> and the floppy drive hole sucks in dust which you can see when you pop
> out the floppy.

CD drives fail far more than hard drives in my experience, do to the
same problem as floppies -- dust, airflow, etc...

> Thus, the idea of using a CD-ROM for the media instead.

To each his own. Just need to figure out something to address the
logging issue.

It's not a matter of preventing a hack, but knowing when you have been.
Especially with the overwhelming majority of system compromises being
outbound-based (LAN client-initiated).

Just my $0.02. Feel free to disagree and blow my views off.

-- Bryan J. Smith b.j.smith@ieee.org ------------------------------------------------------------------ "Communities don't have rights. Only individuals in the community have rights. ... That idea of community rights is firmly rooted in the 'Communist Manifesto.'" -- Michael Badnarik

----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.

Next message: Bryan J. Smith: "[SLUG] Re: CD-Based Firewall -- logs and auditing"
Previous message: Paul M Foster: "Re: [SLUG] Re: CD-Based Firewall -- logs and auditing"
In reply to: Paul M Foster: "Re: [SLUG] CD-Based Firewall"
Next in thread: Chuck Hast: "Re: [SLUG] Re: CD-Based Firewall"
Reply: Chuck Hast: "Re: [SLUG] Re: CD-Based Firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:33:23 EDT