[AusNOG] Data Retention Solution Security Measures

[Ross Wheeler]

On Mon, 6 Mar 2017, Mister Pink wrote:

> In terms of the above approach, it sounds a little over engineered for me
> and only addresses a narrow use case, ie an attacker has already
> compromised your server, but is then unable to escalate his privilege
> enough to mount the drive as readable.


>> I see lots of options for securing the DR data, and defense in depth is
>> obviously all to the good. What I don't see is an option for disabling
>> reads on 1) the file systems, 2) the media. There is no operational or
>> otherwise justification for this data to be online - ever - until you get a
>> warrant. It should be possible eg. in Selinux to disable read ioctls so
>> your data is encrypt, dump, and forget.


How some bloke in the bush chooses to do it is probably irrelevant to the 
rest of the world anyway... but just for completeness...

My DR boxes periodically "wake up", apply an IP address to their 
interface, bring the interface up, and then make outbound connections to 
the production servers over ssh (from a trusted host, obviously).

The ssh session collects the required data for that server, compesses it, 
enctypts it and then returns the data over the (already open) connection 
to the DR host.

Once data is collected from all the hosts, the DR box downs the interface, 
removes the IP address and goes back to sleep.

Combining solid firewalling, no listening services except sshd (which is 
on an unusual port, filtered, and only permits login from trusted users 
with exchanged keys), not being on a globally-routable address, and even 
then only being "reachable" for a short period of time, I think reduces 
the chances of unauthorised access to almost nothing. Then, since nothing 
even gets TO the machine, or passes over any network, in anything other 
than a solidly encrypted form - the chances of intercepting anything 
useful is getting pretty close to zero. (I believe!)

R.