[Arm-netbook] ARM's OOB para-virtualization & FreeZone in A10?

[Gordan Bobic]

On 07/05/2012 06:55 PM, freebirds at fastmail.fm wrote:
> Gordon Bobic, I assumed Fedora's preintalled firewall sufficed.
> Subsequently, I hired a different computer security expert to write a
> script for IP tables, install tripwire and snort. Work is not completed.

As far as iptables is concerned, setting the input chain to allow 
ESTABLISHED,RELATED connections and setting the policy to DROP is a 
decent first pass. If something gets in via the network, then it didn't 
get via the TCP/IP remote connection comming in.

It could be an OOB remote console access a-la DRAC/iLO, of course, since 
that won't ever touch the IP stack.

Tripwire is always a good idea, but if you are being that thoroughly 
hacked, then it won't help you since they'll probably have key logging 
in place that will capture your tripwire crypto passphrase.

Snort is also a reasonable idea, but it won't help you any more than 
dropping all inbount traffic. You could install a kernel module for 
TARPIT iptables support - that will make the machine appear to have ALL 
ports open, but the machine will drop the connection after sending back 
a SYN,ACK. This will frustrate attempts to scan the machine remotely.

But really, as a first pass, I would suggest that you need to put your 
machine behind a firewall. You could use something like WRT54G with 
OpenWRT (or a derivative thereof) configured to do at least the first 
basic firewalling pass for you and provide NAT-ing. I would expect that 
to help a lot provided your machine is clean to begin with.

Gordan