I have several pen drive/memory cards with a lock switch (write protect) on them. Sandisk Mini Cruzer and several MMC/SD Flash Memory cards.
A CDRW is not vulnerable if there is no access to the tools to write on said CD and if the session is finalized. I use CDRW disks for writing ISOs of various LiveCD distros that I keep up with. When you write an ISO image to the disk, the session is normally closed. That means you can't write anything else to the disk until you erase it and rewrite it. I believe Puppy Linux and one or two others have a method of leaving the session open, to enable live config changes.
IPCop runs from HDD, with appropriate permissions, default DENY rules, and only enough Linux to do the firewall and router thing, built from LFS, previously it was a stripped older RedHat. Devil Linux runs from a LiveCD, with configs backed up to floppy I think. Freesco used to run from floppy only, but I think it is now installed to HDD. PublicIP, Linux wireless AP, runs from CD or HDD and config can be on local floppy and some items retrieved from the PublicIP website account. M0n0wall is a *BSD that runs from floppy or CF card. I just bashed out the details that I knew off the top of my head.
You have to choose something that suits your comfort level. Any distro installed to HDD and exposed to the Internet needs to have a strong password. Block ssh to that box if you only want to change config while local to the box. Don't allow root to ssh, so you must ssh as a user and then su to root (two passwords req'd.).
-----Original Message----- From: Behalf Of Leo Mauler Sent: Wednesday, March 01, 2006 6:17 AM
I was going over some of my old links (in backup CDs) and found this interesting link to creating 1.680MB floppy disks for use in floppy-based routers and gateways:
http://www.trevormarshall.com/byte_articles/byte19.htm
This made me think about the whole concept of the PC-based router/bridge. Floppy disks have the write-protect tab on them, making them easily switched (provided you have direct access to the PC) from write-protect to run the router, to flipping the write-protect tab for editing the router, and then flipping it back to write-protect once you are finished with the edit.
What can the modern PC-based router use to duplicate this nice combination of security and ease of editing? You can duplicate the security (and possibly make it better) with a write-once CD-R, but to make changes you have to write an entirely new CD. ReWritable CDs aren't a good idea precisely because they have no "write-protect tab". The same might go for a memory key, since there is no "write-protect tab" for a memory key.
<snip>
-
Kelsay, Brian - Kansas City, MO