How to lock down the physical machine
-
Hello,
First off I would like to thank the developers and comunity for such an awesome product! Admittedly I am new to pf Sense and advanced networking so forgive me for my ignorance!
I have installed pf Sense on an older box with an AMD Athlon
Processor LE-1620 1 GB DDR2 Ram 2 PCI Dlink cards one on-board Giga PHY Realtek RTL8211CL (not recognized) and a 180GB sata drive.I am going to deploy this in our office here in the Philippines and I have had some bad luck with malicious activity by employees who have done everything from reset CMOS to get around passwords, to booting usb drives/cd's to gain access to the admin account. I need to lock down the admin console on the physical machine so that no one can gain access to the Firewall. Is there some way to do make the machine boot completely and not allow access to items like the shell or other configuration areas. I will run this without a keyboard or monitor attached but would like the option of adding one when needed to configure the system or make changes. I do not want someone to be able to plug one in and have access to the system without at least making it difficult.
I also do not have a com port so that option is out to.
Thank you,
Kevin -
I suspect people who reset the BIOS CMOS would be unlikely to find it a big challenge to provide a keyboard and monitor.
I suggest you lock the box in a cabinet or cupboard or room and limit who gets a key. Perhaps a webcam to monitor the computer might also be useful.
-
System: Advanced: Admin Access:
Set 'Password protect the console menu'.If someone is going to the trouble of clearing the CMOS then they could just unplug the pfSense box and insert their own router. Physically securing the machine is your only option as Wallabybob suggested.
Steve
-
Lock the console as Steve suggested. Though that can be gotten around if people are that malicious, which it seems like they are from the sounds of it. That one comes down to the old "there are no technological solutions for people problems." You're putting controls in place in your company for a reason, and people who willingly violate those policies should have consequences for doing so (up to and including termination of employment), just like there are consequences for violating any company policy in any area. Or should be, not sure how things are in the Philippines but here in the US circumventing company security procedures will get you fired rather quickly from most places.
-
I did find what I was looking for… Under System > Advanced > Admin Access at the bottom of the page I checked the "Password protect the console menu" box and saved it. This corrected the issue and would allow a full boot would require to use the log-in credentials to get into the system and change anything.
Regarding everyone's comments about the state of affairs here... It is nice to know that I am not crazy, I think that the comments are correct.
So... I guess we are not in Kansas anymore Toto! I would think that termination is a must but... things are done different here. I would get into it but it would be way off topic. I have done everything that I can at this point it is on Managements shoulders. As my Dad told me when I was young "Locks only keep honest people honest", He also told me to lock it up, that is what I have done!
Thank you again for taking your time to answer my question. Thanks even more for showing me that I was not dreaming in regards to how things should be handled!
-
…As my Dad told me when I was young "Locks only keep honest people honest", He also told me to lock it up, that is what I have done! ...
They also let you know when it's been tampered with. In such a situation, the simple seals that let you know it's been tampered with might also be of use if they're able to get past the lock, but then put the lock back (picked then re-locked.) Are alarms no good?
Of course, I'm just helping you go off topic further.
-
Hello Mat… I am drilling two holes through the case tomorrow on all public computers and putting huge master locks in so that they will at least have to cut them! I would think that it is just easier to do your job but then this may be more challenging for the employees. I hope that this new firewall/router with giant Master Locks gives them all something to do. ;D If that does not work then it is up to the Management to figure it out.
-
I just got a visual of what our office is going to look like… it is going to be an asinine sight for sure, but it will probably make me laugh harder than I have ever laughed before in my entire life. ;D
-
Put the system in a welded "catwalk cage" along side a ZoneMinder monitor with a simple usb cam capable of sms/emailing notifications. Epoxy ports in place and metal shield cables. Weld/Glue/Lock the case shut. Wire in a high capacity cmos battery. Back the entire thing up with a 4000VA ups with attach notif usb inside the cage.
Or, just hire someone with a larger pay grade and hand them a remington 870 and box of ammo. Cheap and effective.
