On Thu, 2003-08-28 at 20:16, Peter Cordes wrote:

 Don't forget about security of the nodes themselves.  Someone who has root,

My biggest problem is the actually startup. The boot up is done of boot roms from the network server. This solves a lot of security problems but Hijacking the data stream is still a problem. Security without physical security is no security at all. I'll have to find a way to get the bootroms to encrypt or in some way verify the data that it uses to bootup. There is still the physical security issue (Bootroms can be removed and read on another machine). But this already involve opening up the PC (there is sensors for that). If we can ensure physical security to the nodes we should be OK.

 Anyway, users on any machine have to trust root on every machine in the
cluster.  This is especially true with oMFS, since root can write any file
on remote machines  (NFS has a root_squash option to prevent this, BTW).
Anyone with physical access to a machine, esp. in a closed office (where
they can open up the box without being noticed) effectively has root.

Yep agreed. So physical security have to be part of any security regime. I don't think users opening up a PC will be that much of a problem. I'm not even going to attempt this but in reality if you really need such a secure system where opening up is a problem a scheme should be build so that when a PC is opened (with my scheme above) the ROM is automatically locked. When the PC is then closed the rom must be unlocked in some way by the technician or a network signal. This type of security do not exist at the moment so we will probably need to rely on Big guys with guns.




Signed by Jacobus Erasmus