Comment Re:Same As Always (Score 1) 219
stay away from the anal types
You are looking for sysadmins aren't you?
stay away from the anal types
You are looking for sysadmins aren't you?
It's still an omission. If you use PXE for remote administration (instead of using it for completely diskless operation), then there is local data which can be compromised by a hostile PXE payload. How hard would it have been to verify a cryptographic signature against a public key stored in the BIOS configuration?
Yes it was missed in PXE, however, based on the context of when PXE was developed I doubt we thought we needed it. The point of gPXE is that PXE hasn't been developed in line with changes in the computing arenas and that these omissions needed addressing.
I've checked further and even though there is a level of authentication built into the command line it doesn't yet have enough development to support 802.1X in gPXE, however, WEP, WPA and WPA2 are now supported so the remote boot from wireless can be undertaken securely. The things you mention are not exactly the point of the protocols like WPA2 and the encryption associated with them in the wireless realm and with 802.1X in both realms which enable authentication to the network. They won't stop a faked PXE image from a poisoned arp or a MIM attack on the http server or TFTP server but they are about securing your network so that a Hacker's device finds it a lot more difficult to get on and do those things you mention. The fact they are developing gPXE into something far more capable with support for HTTP, iSCSI, Wireless (encrypted) and others deserves a good round of support for trying to move things forward though its probably not where it should be yet...
Eureka! -- Archimedes