Re: "Rubbish" idea on security

From: Karsten W. Rohrbach (karsten@rohrbach.de)
Date: 10/10/01


Date: Wed, 10 Oct 2001 21:17:12 +0200
From: "Karsten W. Rohrbach" <karsten@rohrbach.de>
To: xskoba1@kremilek.gyrec.cz


xskoba1@kremilek.gyrec.cz(xskoba1@kremilek.gyrec.cz)@2001.10.10 08:38:21 +0000:
>
> Has anyone ever thought about physicial stealing of server?

yes ;-)

>
> I know I sound like pretty paranoid, but my question is. Is there
> any way to crypt all harddrive in the way, no one from outside will see
> anything from it. I mean, for example, that rebooting of server is going
> to be dependandt on connection from somewhere, that connection send a key,
> which is all the time only in memory and if someone decide to steal the
> harddrive, he has nothing unless he has a key.

for a somewhat larger client's installation we ordered a safe containing
rackmounts, ups and air conditioning. those boxes are quite expensive
(and quite big), heavy to lift (trust me, noone's ever gonna carry such
a thing out of the building) and they provide the physical security
level demanded by the german bank and insurance industry. hard drives
cannot be removed when the safe is closed, so you just got to think
about a good network/os security solution.

> And the second thing is concerning config or any files which are
> necessary to change to compromise server. The idea is the same, the
> changes
> are (probably by kernel) written into some temprorary area and only when
> private key is provided, changes are written on the right place.

we put /, /usr, /opt (custom binaries) on a write-disabled scsi
harddisk raid mirror, the remaining filesystems went onto a standard
raid5 scsi-scsi bridge solution. software upgrades are being deployed
onto new disks on the same hardware in a lab and then transported to the
site for being actively deployed (swapped agains the original boot
volume disk set).

>
> sorry if everything I told is too dificult or too stupid to be
> created.

not at all. there are just not that many customers demanding that degree
of security.

/k

-- 
> Only two things are infinite, the universe and human stupidity, and I'm
> not sure about the former. --Albert Einstein 
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 BF46
Please do not remove my address from To: and Cc: fields in mailing lists. 10x

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Relevant Pages

  • security-basics Digest of: get.123_145
    ... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ...
    (Security-Basics)
  • Re: << SBS News of the week - Sept 26 >>
    ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
    (microsoft.public.windows.server.sbs)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.backoffice.smallbiz)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: << SBS News of the week - Sept 26 >>
    ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
    (microsoft.public.backoffice.smallbiz2000)