[Linux-cluster] Re: Using GFS without a network?
Lon Hohberger
lhh at redhat.com
Wed Sep 7 15:48:46 UTC 2005
On Wed, 2005-09-07 at 11:24 +0200, Axel Thimm wrote:
> There is no way to "prove" what you want. Just go for second best to
> the ideal theorem. You probably don't want GFS, but a hardened NFS
> connection to the storage allocated within the secure network only.
I'd do shared raw.
If we know the computer on the secure network *never* writes to the disk
and it has no possible way to establish a network connection to the
outside world (via any means) then we only have to worry about the
attacker somehow corrupting data to crash the application on the secure
server.
Make sure your reader application has a reliable way to verify the
integrity of the data (possibly using some form of encryption like gpg)
and you're golden.
So, the would-be attacker would have to do the following to get data off
the secure network:
(a) Break in to world-facing server
(b) Create data which will cause a malfunction in to the secret
application on the secure server (without having access to said
application; this is based on an outside job, not an inside job),
(c) encrypt or sign the data so that the secure server trusts it, and
(d) write the data out to the right offset on the raw device...
In the "overflow code", the attacker would have to know where the data
is stored, retrieve it, and write it out to the shared SCSI disk.
Note that the above becomes much more difficult if you change the SCSI
block device driver on the secure server to completely disable
writes. ;)
It also becomes more difficult if the secret application is audited for
security flaws before being put into production.
Just random ideas... *shrug*
-- Lon
More information about the Linux-cluster
mailing list