[Dshield] Does anyone know if this can work

Tom dshield at oitc.com
Sun Dec 23 12:44:35 GMT 2007 

Mike,

You can do what one of our 3 letter agencies does (or at least did). 
Configure an OpenBSD box with 2 drives (or even SecureBSD/TrustedBSD. 
There is also hardening instructions for linux). Configure your swap 
files and all dynamics on the second drive and everything elese on 
your root drive. Test. Pull the write jumper on your root drive and 
deploy.  To update, remove from network; replace jumper; update; 
test; deploy.

Happy holidays,

Tom

At 10:00 PM -0500 12/22/07, Chad M Stewart wrote:
>Hi Mike,
>
>If someone were to 0wn the box they could replace your zone files.  
>Sure the standard files are read-only, but there are ways around that.
>
>Personally, I'd start with OpenBSD and make it a slave.  Put the real 
>master on a secure network.  Let the master send updates to the 
>slave, but no traffic the other way.  Bind on OpenBSD is chroot'd by 
>default, adding another layer of defense.  Of course adding pf rules 
>to both boxes as well, and hardening each host as well.
>
>My $0.02
>-Chad
>
>On Dec 20, 2007, at 11:04 AM, Sahli, Mike wrote:
>
>>  Hello
>>  Currently I am running Bind on a windows box for my external DNS. I 
>>  want
>>  to make my dns bullet proof. My thoughts are get a Linux distro 
>>  that can
>>  run from a booted cd and reconfigure it to only run dns that way the
>>  files for my zones can not be changed. Now I figure that I will 
>>  have to
>>  keep a copy of the iso and edit the files in the iso when ever I 
>>  need to
>>  make a change then re burn the iso and boot to the new cd but I do not
>>  need to make changes that often maybe once every two or three 
>>  months if
>>  that. Any thoughts and guidance will be appreciated.
>>
>>  Michael D Sahli
>>  Sr. Network Engineer
>>  Lockheed Martin IT @ SMECO
>>  301-274-4344
>>
>>
>_________________________________________
>SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze 
>up north if you can be in New Orleans. 
>http://www.sans.org/info/15826


-- 

Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
Google Talk: trshaw at gmail.com

More information about the list mailing list