# Is a console via com0 a secure connection?



## Sidney Schaeffer (Jul 30, 2015)

I'm switching from FreeBSD to OpenBSD for my packet filter gateway box and am surprised that I can't view the full output of `systat` states or`tcpdump -ner /var/log/pflog` due to an inability to setup over 80 columns on my black screen display.  The solution is to use a null modem cable to a box running X11 and get a nice display, something I have wanted to do for years, but have shied away from for fear that I would open up a port of entry for a hacker.  My gatewayBox being the most secure, it just seemed safer to not ssh or connect in any other way than to do packet filtering.

Is the com0 connection unhackable, or do I now have to secure an X11 box?

Sidney Schaeffer, BSD home user


----------



## wblock@ (Jul 30, 2015)

How could a connection that requires a separate physical cable be less secure?


----------



## Sidney Schaeffer (Jul 30, 2015)

wblock@ said:


> How could a connection that requires a separate physical cable be less secure?


I am a network dummy, but I would presume it would be less secure to use the lan the gateway is serving. I get your point that the physical cable is for security.  Thanks for pointing that out.  However my concern is that I now have a second box with a connection to my gateway, and I do not want any, as I fear I might get backdoored by picking up some extraneous software via ftp on the x11 box and then someone could take control of my "separate physical cable " connection and disable my firewall on the gateway.  I need to know if that is possible, so that I can avoid the use of ftp, and any internet connection at all, on the X11 workstation that will serve to also display my firewall stats (if necessary).  I believe the answer is that anything is compromiseable if the attacker knows how to attack it.

I do understand that with a full knowledge of security this level of paranoia is not necessary, but for me it's easier to take the, ...if it isn't connected or running, it isn't providing a security hole, policy.  And then I just count on having to reload a clean install on my browser boxes regularly.  And that introduces another BSD question I have.  I have been using dd to copy partitions of operating systems for backup purposes.  Could I do a:
`dd if=/dev/wd0 of=foo` instead of `dd if=/dev/wd0[akdfghjie] of=foo` (each label being a separate dd command, I wouldn't dare try recursive dd, too dangerous for me) with OpenBSD's partitioning?  I'm guessing the answer is no, and yes I want to learn dump.  I don't use dump because I don't trust myself to catch a system compromise and so I feel safer with a clean partition install that can't rotate out of the back of a dump queue.  This is mostly for internet browser boxes.

Sidney


----------



## wblock@ (Jul 30, 2015)

The X11 computer would be used as a terminal to the firewall.  Normally, this would not be any different than a console login.  It would still require a password or SSH key to be able to log in.

If there are concerns with security on the X11 computer, the method it uses to connect to the firewall are secondary, and the concerns should be addressed first.

As far as the `dd` question, it seems unrelated.  Please start a new thread for that.


----------



## Sidney Schaeffer (Jul 30, 2015)

Thank you, for the help, and please mark this thread solved.  -sid


----------



## phoenix (Jul 30, 2015)

This would only be a security issue if the X11 box also has a network connection.  If it's on the network, then it can be reached remotely, and it's another point-of-entry that needs to be secured.

However, if the X11 box is completely standalone, no network connections of any kind, with only the null-modem cable connecting it directly to the gateway box, then you only need to worry about physical security.  Meaning, the only way it can be used to hack the gateway is if someone is physically sitting at the keyboard of the X11 box.

Make sense?


----------

