[kwlug disc.] Protecting confidential data on a server

Chris Frey cdfrey at foursquare.net
Fri Aug 29 00:38:13 EDT 2008 

On Thu, Aug 28, 2008 at 07:18:57PM -0700, Paul Nijjar wrote:
> I could live with a solution like the following:
> 
> 0. One of our internal servers serves as an "authentication server".
> (Using some technology I am not aware of now, but might be RADIUS?)
> 
> 1. The Linux box which has the confidential data asks the
> authentication server for permission to mount the confidential
> partition. Both of these can see each other by virtue of being on our
> intranet. 
> 
> 2. If the lightning storm knocks out both the authentication server
> and the Linux box, then maybe I am hosed and have to recover manually.
> Otherwise, the Linux server can come up on its own.
> 
> 3. If the Linux server is stolen, it can't reach the
> authentication server and refuses to mount the encrypted partition. 
> 
> 4. If I feel like something is fishy, I can go onto the authentication
> server and tell it to refuse authentication to the Linux box. 


This sounds like a lot of work to implement securely.

Is it out of the question to buy a stronger UPS so the system just doesn't
reboot as often?  It sounds like a server worthy of quality hardware.


Some security issues to overcome:

	1) The thief might steal the authentication server too.  Will
		the authentication server need a password when it boots?

	2) Any authentication request should avoid valid internet addresses
		like the plague... you don't want it to authenticate over
		the internet from the thief's basement.  The authentication
		server should only listen locally.

	2) How will the authentication server say 'yes'?

		A) Will it do something like ssh-agent?

		B) Maybe use SSL to avoid replay or man-in-the-middle attacks.

	3) Once they are setup, you probably want both the authentication
		server and the confidential server to email you notices
		whenever:

		A) Permission is requested and granted

		B) A reboot occurs

		C) Email you the network data it has when it comes up,
			so that you can verify at your leisure that
			the network it is running on is your network,
			or possibly phone home from the thief's network.

		D) Email you a "still up and on 192.168.1.59" status
			message everyday, so you know it's still there.
			When the servers take care of authentication by
			themselves, no news is not good news.

- Chris

More information about the KWLUG-Disc mailing list