Re: IP Acounting Idea for 2.5

From: Henning P. Schmiedehausen (mailgate@mail.hometree.net)
Date: Fri Apr 20 2001 - 16:00:45 EST

Next message: lkern@mail.co.gilchrist.fl.us: "Kernel Panic Linux 2.4.3 RH7"
Previous message: Alan Cox: "Re: OK, let's try cleaning up another nit. Is anyone paying attention?"
In reply to: Harald Welte: "Re: IP Acounting Idea for 2.5"
Next in thread: Manfred Bartz: "Re: IP Acounting Idea for 2.5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Harald Welte <laforge@gnumonks.org> writes:

>On Tue, Apr 17, 2001 at 06:56:42AM +0000, Henning P. Schmiedehausen wrote:
>>
>> Resettable counters in a security sensitive environment are just a
>> call for trouble. That's why you can't reset the SNMP counters on any
>> Cisco device I've encountered today. They learned their lesson. Maybe
>> you will, too.

>Well, I'm not sure about which SNTP counters you are talking, but I suppose
>it is not about per-filtering-rule counters, but something like per-interface
>counters, etc.

You don't want your counters going backward. Full stop. If a program
can reset your counter, your application will never know, if it was a
legal, correct, valid reason or just a hacker trying to hide his
traces. At least provide some sort of lock-down.

>There's always a way for somebody with root access to reset the counters of
>a rule:

>just delete and re-insert the rule.

Bad thing. If you want to use the rules in a security sensitive
environment, don't allow removal. If you need to, reset the whole
module and notify the user. Better, shut down the filter and yell for
help.

ipfilter is about security, isn't it?

>If somebody wants to reset the counter, he can. If we remove the functionality
>from iptables, people still can - but it's more difficult.

There is no "more difficult", just "different ways". If you bother to
use a filtering environment where the filter counters tell e.g. "we
rejected xxx attacks", you don't want anyone to mess with these
counters. If this is a counter for a filtering rule, don't allow the
rule (and its counters) to be removed. Inactivate the rule but keep
the evidence (counter settings) around till module removal or reboot.

Sorry, I may be anal about security but as more and more people start
thinking "why should I bother with FW-1 or PIX when I can get a $99
Linux box and hack some filters", at least I want the $99 software
trying not to be sloppy about security.

Regards
Henning

-- Dipl.-Inf. (Univ.) Henning P. Schmiedehausen -- Geschaeftsfuehrer INTERMETA - Gesellschaft fuer Mehrwertdienste mbH hps@intermeta.de

Am Schwabachgrund 22 Fon.: 09131 / 50654-0 info@intermeta.de D-91054 Buckenhof Fax.: 09131 / 50654-20 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Next message: lkern@mail.co.gilchrist.fl.us: "Kernel Panic Linux 2.4.3 RH7"
Previous message: Alan Cox: "Re: OK, let's try cleaning up another nit. Is anyone paying attention?"
In reply to: Harald Welte: "Re: IP Acounting Idea for 2.5"
Next in thread: Manfred Bartz: "Re: IP Acounting Idea for 2.5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Apr 23 2001 - 21:00:38 EST