Re: [9fans] a few Q's regarding cpu/auth server

On Thu, Aug 6, 2009 at 4:28 PM, Corey<corey@xxxxxxxxxxxxx> wrote:
On Thursday 06 August 2009 01:19:35 Robert Raschke wrote:
On Thu, Aug 6, 2009 at 8:52 AM, Corey <corey@xxxxxxxxxxxxx> wrote:
<snip>
That wasn't a rhetorical question.  Why bother locking your door?

Any intruder worth his weight in salt can circumvent such a simple
security mechanism with ease.

Why lock your door, when you're living in a gated community?


A few possible answers:

Because I'm convinced that multiple redundant layers of security is
most effective.

Because I _don't_ live in a gated community.

Because anyone can hop a fence, the silly pathetic lock (password) on
my front door (auth server) is my last line of defense; and it will be
immediately and clearly obvious that someone broke in because... well..
they _broke_ in (turned off and dismantled the server)... they didn't
just walk in without further ado (began issuing commands as hostowner
on the open terminal) and leave without immediate and clear evidence
(no broken/missing case, no powered off server and missing drives, etc)


Your cpu/auth/filesystem machines can be somewhere safe, with as much
physical safety as you need (physical barriers are much easier to set up
and administer that electronic ones). If all is set up properly, you will
never have to touch those machines again. Unless the machines break and
you need to look at the hardware.


Meanwhile, here on terra firma, I would like to be able to have my
Plan 9 servers sitting on a rack in a common affordable co-lo somewhere.


I think the actual root of the situation, is simply that Plan 9 currently
tends to reside within domains with much more strict and secure
or trustworthy environments vs. being prevalent within the sphere of
the great unwashed masses of the industry where strong physical
security is either unobtainable, unaffordable, and/or unreliable at best.

_Within_such_environments_, simple passwords remain an effective and
proven means of _deterrent_ from the most common, random, unforeseen
encounters that may occur on a near every day situation.


The phone guys have to enter the server room - you trust them with bootes?

Various contractors have to enter the server room - you trust them with
bootes?

The sysadmin forgets to lock the door to the server room before heading
out for lunch - you trust all your visitors, customers, affiliates and
employees with a terminal sitting at a bootes prompt?

The hosting provider has all number of people walking in and out of the
server room constantly, every day - you trust each and every one of these
random unknown people with a bootes prompt to your co-lo'd cpu server?

Now here's the important part -- in each of these cases (those are just a few,
it doesn't take much of an imagination - or much actual experience - to come
up with countless more), the _real_ concern is _not_ over that rare motivated,
focused, risk-taking bad guy with a plan who's come prepared with a
screwdriver and usb rootkit and assorted bootdisks... the concern is all the
ad-hoc opportunistic, curious and/or malicious passer-by's, armed with
nothing more than their fingers, who just might take up the chance to goof
around with that open terminal connected to the server.

I have a much higher level of trust that X person won't walk off with or
dismantle a server vs. the level of trust I have that X person won't execute
commands on an open terminal. It's really quite simple.

If your servers aren't under you direct control, and they're not guaranteed
continually locked behind a bio-metrically secured room under constant video
surveillance - then you don't have physical security.

If you don't operate within a contained, peer-based trusted environment (lab,
research center, spec. dept., etc), then you don't have physical security..

Most of the industry at large... does _not_ have trusted physical security.

And if you don't have trusted physical security, then an open terminal is
beyond the pale of recklessness.

Passwords make an excellent form of _additional_deterrent_ under the sort
of lowest common denominator environment that tends to comprise the
industry at large. (from AnyTec, to Bob's coffee house, to Standford & Son's
automotive repair, to The Law Offices Of Larry H. Parker, to Data Entry Inc.)

I honestly can't believe that this is even up for debate!  <grin>

It's just bizarre.


Oh, if we're just protecting against people wandering by who are
obviously there by mistake--since we're discounting anyone coming
prepared for serious maliciousness--how about just not having a
terminal connected to your file server? My cpu/auth/file servers don't
have anything connected except an ethernet cable and a remote serial
console. Oh, sure, there's a crash cart over in the corner that you
could drag over and plug in, but you've decided that we're only
talking about opportunists who see a prompt and decide to type some
stuff, so it's not a problem.

The whole friggin' point of a colo is that you trust the people
running it--also, that they don't leave terminals connected to every
single one of their hundreds of customer machines. It's a locked room
in a corporate building... this ain't your little brother banging on
keys (a far more realistic reason for password-protecting a cpu
server, if you're going to be dumb enough to leave the head attached).

I have a Plan 9 server sitting in a lab at my university. Over the
last 2+ years, it has been in the same place, powered on, connected to
a keyboard, mouse, and monitor. The only deterrent to unauthorized
users has been that I keep the monitor off, and in those 2 years I
have not found a single sign that anyone has so much as touched the
keyboard, much less done "rm -r /" or whatever it is you're afraid of.
I'm afraid you'll have to forgive me if I find the probability of
someone improperly accessing your headless colo'd box rather low.

I invite you, though, to create some form of logging protection system
for the box. Put the box in a colo, and then in 3 years send us your
logs. I guess we'll see how many people tried to get into your cpu
server.


John
--
"Object-oriented design is the roman numerals of computing" -- Rob Pike

.

Relevant Pages

  • Re: Assigning Security through W2k3 to W2k Trusted Domains
    ... I had to remove and reload DNS zone for DomainB on DNS server in DomainA. ... Once I did the remove and reload, I validated the trust again and now I ... assign NTFS security on all machines, ... windows 2003 servers and the one DC that is Windows2000 in DomainA. ...
    (microsoft.public.security)
  • Re: Assigning Security through W2k3 to W2k Trusted Domains
    ... control the NTLM SSPI minimum security levels - so that could ... On the file server running windows 2000 in DomainA I do the ... windows 2003 servers and the one DC that is Windows2000 in DomainA. ... validated the trust for a third time. ...
    (microsoft.public.security)
  • Re: (Asp.Net Full Trust Vulnerabilities) RE: Apache VS IIS Security model question
    ... However I am still unsure how an ASP.NET application, running in Full Trust, ... Each client of the server (say, each department of a company, or each ... Each website is placed into its own custom application pool ... Subject: RE: Apache VS IIS Security ...
    (Pen-Test)
  • Re: [9fans] a few Qs regarding cpu/auth server
    ... Because I'm convinced that multiple redundant layers of security is ... (no broken/missing case, no powered off server and missing drives, etc) ... The phone guys have to enter the server room - you trust them with bootes? ... surveillance - then you don't have physical security. ...
    (comp.os.plan9)
  • [Full-Disclosure] Re: (Asp.Net Full Trust Vulnerabilities) RE: Apache VS IIS Security model question
    ... However I am still unsure how an ASP.NET application, running in Full Trust, ... Each client of the server (say, each department of a company, or each ... Each website is placed into its own custom application pool ... Subject: RE: Apache VS IIS Security ...
    (Full-Disclosure)
Loading