RFE: FireKit
Colin Walters
walters at verbum.org
Fri Jul 24 17:35:01 UTC 2009
2009/7/24 Björn Persson <bjorn at xn--rombobjrn-67a.se>:
> Colin Walters wrote:
>> If for
>> example I enable desktop sharing before leaving work, then head to the
>> airport, and log on there to WiFi, you really don't want the desktop
>> sharing still enabled. Nor likely do you want sshd.
>
> – Internal tech support, Randy Hacker speaking.
> – Hi Randy, Joe Salesman here. I'm at the airport. Something's wrong with my
> laptop. The screen just goes black when I try to start Open Office Impress. It
> worked fine yesterday. If I can't get it to work before I get to the customer's
> site I won't be able to show the presentation.
> – OK Joe, I'll SSH into your laptop and look at the logs. What's your current
> IP address?
In this case, when the firewall is re-enabled, it would be enabled to
whatever the system administrator has configured it to do. In other
words if they added an explicit passthrough for port 22, that would
continue to work.
> Joe might have file sharing enabled to share his documents with his colleagues
> in his own company, but just because Joe wants to let people see the
> presentation, that doesn't mean he wants anyone who might be connected to the
> customer's network to read all his documents.
Hmm? How would they be able to read all his documents?
> In one known attack against the concept of trusted networks, an attacker
> configures his laptop to present itself as a WiFi access point and broadcast a
> large number of strategically chosen SSIDs. Then he sits down in a public
> place and waits for unsuspecting laptops to recognize the SSID of their home
> network and connect automatically.
I believe NetworkManager's connection list is based on the pair of MAC
address + SSID, not just SSID.
Now yes, of course someone could discover the MAC and SSID of a
particular access point at a company, then when a mobile worker goes
to a coffee shop, fake being that network. But at this point we're
getting into very targeted attacks. And I would argue that accepting
this is a valid tradeoff versus the even more serious problem of
people who disable the firewall to get things to work and then never
re-enable it.
More information about the fedora-devel-list
mailing list