[syslinux] PXE and Security Issues

Ryan McLean ryanm at accelrys.com
Wed May 23 02:25:54 PDT 2007 

On 5/23/07, Plaul, Markus <Markus.Plaul at vng.de> wrote:
>> Hi guys,
>>
>>
>>
>> im about write a project about pxe. How it works etc but im stucking at
>> the security thing. Well pxe has this menu password feature using 
SHA-1,
>> but since sha-1 is hacked, i cant stick with it saying sha-1 is safe
>> ..etc. What else could i add when it comes to network boot, pxe and
>> security besides BIS? I would really appricate some ideas or help. Thx
>> in advance
>>
>>
>>
>> _______________________________________________
>> SYSLINUX mailing list
>> Submissions to SYSLINUX at zytor.com
>> Unsubscribe or set options at:
>> http://www.zytor.com/mailman/listinfo/syslinux
>> Please do not send private replies to mailing list traffic.
>>
>>

>SHA1 may be hacked, but you have to ask yourself just how important
>this is.  Are you expecting outside hackers getting into your LAN
>(perhaps with wireless?)  If so, some things such as access controls
>and network encryption are a must anyway for your own safety
>(encryption is a must, but my favorite option is the access control
>list where you can set it such that only certain MAC addresses are
>ever allowed to connect.  Most wireless routers have this option, but
>I should add here that PXELinux also has the ability to do this to
>some extent as well.)  If not, I have to wonder how many legitimate
>users are going to be employing SHA1 encryption breaker tools just to
>get past your password.  In a more normal work environment, most users
>simply balk at the sight of a password, try a few basics, and give up
>if they fail rather than employing password hacking methods.  Are you
>providing some sort of direct access to something highly sensitive?
>If so, it may be more advisable to limit that access further than just
>by password.

I think what is relevent is that SHA-1 is "secure enough", at the end of 
the day the password is stored in plain text in the configuration file.

The point of encryption is not so much to prevent things from being 
decrypted as much as it is to delay it until the information is useless.
For example if you change your password every 6 months and have a decent 
IT password policy then this a) make decrypting the password harder (in 
the case of brute force and guessing) and b) limits damage as the password 
is changed frequently.

Although Nazo mentions filtering by mac address as added security this is 
even less secure than using a password as most routers and a good few NICs 
allow their MAC addresses to be change (this mainly came about due to ISPs 
locking the connection to their own Hardware's MAC, which could be 
expensive to change). Yes using both together is more secure but still far 
from totally secure.

If you use (windows) RIS instead of TFTP you can have an additional layer 
of security as the RIS server will only server people who can logon via 
Active Directory, there is a tutorial in the wiki on how to do this.

>If all else fails, there's safety in obscurity.  Make people manually
>type out the full command line to get to whatever you wish to password
>protect.  If it's complex enough, chances are that only those who know
>exactly what to type can get in...

Sorry but bullshit! There is no such thing as security through obscurity 
and and anyone who says there is, is talking absolute tripe!

Regards,


Ryan McLean

More information about the Syslinux mailing list