[Tfug] Multiple distros for security?
David Cowell
davidwcowell at cox.net
Sun Jan 25 15:44:38 MST 2009
> > In the situation of running parallel distros, however, even
> if one fails
> > there is a breach. And, as Paul Lemmons wrote, "1/3
> compromised is still
> > compromised." We will assume this is a situation you wish to
> avoid.
>
> Let us remember the situation introduced here though -
> preventing
> "data leaking out" is not the goal here. High availability of
> a
> critical piece of an ISP's infrastructure is the goal.
>
> If all three DNS servers had been compromised the biggest
> concern is
> not so much that DNS data is potentially leaked (although that
> situation is not ideal of course), but more to the point if
> the
> attacker does a 'rm -rf /' on all three servers then
> authoritative DNS
> is down, for the entire ISP (!!).
>
> If at least one were running a different flavor of Unix and
> didn't get
> compromised, at least one of the DNS servers in question is up
> and
> functional. If dns1.dakotacom.net does not respond on port 53,
> at
> least dns2.dakotacom.net will respond, and caching DNS servers
> can
> fail over to it.
>
So, Eric, what you are saying is that, using my crude metaphor, we're
not trying to avoid a sickness, but rather we're trying to make sure
there's action when we want it. (We want an .or. of good stuff and we
are not concerned greatly about an .or. of other bad stuff.)
In my old 'hood, we referred to that as having a "brand in the fire".
This can work, but it is always more complicated. And there is
absolutely no guarantee that it will work in a given instance.
The safest approach is of course to make your backup server a very
differently designed fortress, like Windows Server. ("If the Marines
can't do it, maybe the Air Force can.") Otherwise, it's like trying to
avoid genetic diseases by marrying one first cousin rather than another.
Additionally, if dns1.dakotacom.net is not simply knocked out and deaf
and dumb, but rather crazed and inconsistent (an especially vicious
attack), there is an added load of determining which OS is working and
which is not, and whether things are simply somewhat spicy on one server
or truly off the board. Possibly solvable in the heat of things, but
still an extra distraction on a miserable day.
These problems are exacerbated by having two OSs to triage in the heat
of things.
So, in terms of theory, if you _must_ use a backup differentiated system
let it be extremely different. Simply changing the uniforms of the
defending troops and giving them different sidearms will probably not
make much of a difference.
More information about the tfug
mailing list