Re: [9fans] a few Q's regarding cpu/auth server

[John Floren <slawmaster@gmail.com>]

On Thu, Aug 6, 2009 at 4:28 PM, Corey<corey@bitworthy.net> wrote:
> On Thursday 06 August 2009 01:19:35 Robert Raschke wrote:
>> On Thu, Aug 6, 2009 at 8:52 AM, Corey <corey@bitworthy.net> wrote:
> <snip>
>> > That wasn't a rhetorical question.  Why bother locking your door?
>> >
>> > Any intruder worth his weight in salt can circumvent such a simple
>> > security mechanism with ease.
>>
>> Why lock your door, when you're living in a gated community?
>>
>
> A few possible answers:
>
> Because I'm convinced that multiple redundant layers of security is
> most effective.
>
> Because I _don't_ live in a gated community.
>
> Because anyone can hop a fence, the silly pathetic lock (password) on
> my front door (auth server) is my last line of defense; and it will be
> immediately and clearly obvious that someone broke in because... well..
> they _broke_ in (turned off and dismantled the server)... they didn't
> just walk in without further ado (began issuing commands as hostowner
> on the open terminal) and leave without immediate and clear evidence
> (no broken/missing case, no powered off server and missing drives, etc)
>
>
>> Your cpu/auth/filesystem machines can be somewhere safe, with as much
>> physical safety as you need (physical barriers are much easier to set up
>> and administer that electronic ones). If all is set up properly, you will
>> never have to touch those machines again. Unless the machines break and
>> you need to look at the hardware.
>>
>
> Meanwhile, here on terra firma, I would like to be able to have my
> Plan 9 servers sitting on a rack in a common affordable co-lo somewhere.
>
>
> I think the actual root of the situation, is simply that Plan 9 currently
> tends to reside within domains with much more strict and secure
> or trustworthy environments vs. being prevalent within the sphere of
> the great unwashed masses of the industry where strong physical
> security is either unobtainable, unaffordable, and/or unreliable at best.
>
> _Within_such_environments_, simple passwords remain an effective and
> proven means of _deterrent_ from the most common, random, unforeseen
> encounters that may occur on a near every day situation.
>
>
> The phone guys have to enter the server room - you trust them with bootes?
>
> Various contractors have to enter the server room - you trust them with
> bootes?
>
> The sysadmin forgets to lock the door to the server room before heading
> out for lunch - you trust all your visitors, customers, affiliates and
> employees with a terminal sitting at a bootes prompt?
>
> The hosting provider has all number of people walking in and out of the
> server room constantly, every day - you trust each and every one of these
> random unknown people with a bootes prompt to your co-lo'd cpu server?
>
> Now here's the important part -- in each of these cases (those are just a few,
> it doesn't take much of an imagination - or much actual experience - to come
> up with countless more), the _real_ concern is _not_ over that rare motivated,
> focused, risk-taking bad guy with a plan who's come prepared with a
> screwdriver and usb rootkit and assorted bootdisks... the concern is all the
> ad-hoc opportunistic, curious and/or malicious passer-by's, armed with
> nothing more than their fingers, who just might take up the chance to goof
> around with that open terminal connected to the server.
>
> I have a much higher level of trust that X person won't walk off with or
> dismantle a server vs. the level of trust I have that X person won't execute
> commands on an open terminal. It's really quite simple.
>
> If your servers aren't under you direct control, and they're not guaranteed
> continually locked behind a bio-metrically secured room under constant video
> surveillance - then you don't have physical security.
>
> If you don't operate within a contained, peer-based trusted environment (lab,
> research center, spec. dept., etc), then you don't have physical security.
>
> Most of the industry at large... does _not_ have trusted physical security.
>
> And if you don't have trusted physical security, then an open terminal is
> beyond the pale of recklessness.
>
> Passwords make an excellent form of _additional_deterrent_ under the sort
> of lowest common denominator environment that tends to comprise the
> industry at large. (from AnyTec, to Bob's coffee house, to Standford & Son's
> automotive repair, to The Law Offices Of Larry H. Parker, to Data Entry Inc.)
>
> I honestly can't believe that this is even up for debate!  <grin>
>
> It's just bizarre.
>

Oh, if we're just protecting against people wandering by who are
obviously there by mistake--since we're discounting anyone coming
prepared for serious maliciousness--how about just not having a
terminal connected to your file server? My cpu/auth/file servers don't
have anything connected except an ethernet cable and a remote serial
console. Oh, sure, there's a crash cart over in the corner that you
could drag over and plug in, but you've decided that we're only
talking about opportunists who see a prompt and decide to type some
stuff, so it's not a problem.

The whole friggin' point of a colo is that you trust the people
running it--also, that they don't leave terminals connected to every
single one of their hundreds of customer machines. It's a locked room
in a corporate building... this ain't your little brother banging on
keys (a far more realistic reason for password-protecting a cpu
server, if you're going to be dumb enough to leave the head attached).

I have a Plan 9 server sitting in a lab at my university. Over the
last 2+ years, it has been in the same place, powered on, connected to
a keyboard, mouse, and monitor. The only deterrent to unauthorized
users has been that I keep the monitor off, and in those 2 years I
have not found a single sign that anyone has so much as touched the
keyboard, much less done "rm -r /" or whatever it is you're afraid of.
I'm afraid you'll have to forgive me if I find the probability of
someone improperly accessing your headless colo'd box rather low.

I invite you, though, to create some form of logging protection system
for the box. Put the box in a colo, and then in 3 years send us your
logs. I guess we'll see how many people tried to get into your cpu
server.


John
-- 
"Object-oriented design is the roman numerals of computing" -- Rob Pike