[Tfug] Multiple distros for security?

Eric Gearhart eric at nixwizard.net
Sat Jan 24 21:23:11 MST 2009


On Sat, Jan 24, 2009 at 7:33 PM, David Cowell <davidwcowell at cox.net> wrote:
> In the situation of running parallel distros, however, even if one fails
> there is a breach. And, as Paul Lemmons wrote, "1/3 compromised is still
> compromised." We will assume this is a situation you wish to avoid.

Let us remember the situation introduced here though - preventing
"data leaking out" is not the goal here. High availability of a
critical piece of an ISP's infrastructure is the goal.

If all three DNS servers had been compromised the biggest concern is
not so much that DNS data is potentially leaked (although that
situation is not ideal of course), but more to the point if the
attacker does a 'rm -rf /' on all three servers then authoritative DNS
is down, for the entire ISP (!!).

If at least one were running a different flavor of Unix and didn't get
compromised, at least one of the DNS servers in question is up and
functional. If dns1.dakotacom.net does not respond on port 53, at
least dns2.dakotacom.net will respond, and caching DNS servers can
fail over to it.

--
Eric
http://nixwizard.net




More information about the tfug mailing list