Solved how to protect the system?

[wolffnx]

The question is too general, but I explain myself

I got 6 FreeBSD servers , some of them are rackeables and some are justs PC's
and I dont trust in the physical access security on my work,and fear to one day some guy restart the server,boot with a live usb
and get the data in the server
until now I protect the access to important files (PF config , DNS config too ,etc) with geli like this:

when the servers restarts load a generic PF configuration and send me one email, then I enter via ssh
and decrypt the geli volume and load all the configuration with one script

this works, but require fast response for me (I access to ssh trough my phone) and sometimes my boss suspect something
(my politics of security is not aproved by them) , so, I have to change this model of security


what dou you recommend guys?

 

[monwarez]

I dont trust in the physical access security on my work

If physical access is a threat then you cannot do much, since anyone could dump the memory and thus get the keys. For that you will need to use some hardware encryption module that can directly talk to the cpu / memory (maybe something like intel trusted platform module, but I am not sure if it will be enough)
Also you will need to use uefi secure boot with your own enrolled key

 

[ralphbsz]

Sadly, this is roughly the best you can do.

What are you worried about? A person physically getting control of the hardware. That's the worst kind of attack, because at this point the attacker can do pretty much anything, and the only thing that will save you is having only unintelligible (meaning: encrypted) data on the machine.

Example: The attacker can use a screwdriver, physically remove the disk, and take it home and examine it. This immediately implies that data at rest needs to be encrypted. But now where does the key come from? It can not be physically stored on the machine, not even on a USB stick that you leave there. So it has to come from outside, from a trusted source. What does "trusted" mean? A source that is unlikely to give up the keys when the attackers arrive. That could be your person (except you are vulnerable to gardenhose attack). It could be a server that is in a secure location. For example, in the original Kerberos system (installed at MIT), the Kerberos key servers were installed in special cages made out of steel and fencing, and this persists today: key servers have extra physical security.

But then there is the next problem: How do you know who is controlling the server? The moment the attacker can sit at the console and be root (for example by booting single-user and changing the root password), you no longer know *why* the server requested the key. If attackers can get access to the keyboard, screen and reset button, it's game over. Or if they can walk up to a console that was left logged in. By the way, if the machine is running, the disk is probably now decrypted, and they can read anything.

You could move to end-to-end encryption: The machine itself never decrypts data, but only serves it in encrypted form, and you move the problem of key management to the clients. Note that this only moves the problem elsewhere, but there it might be easier to solve, or it might just be no longer your problem.

In general, there is no protection against physical takeover of the machines, except for the use of force (violence, for example firearms). That tends to be highly impractical, except in certain environments. Yes, there are data centers where the guards on the edge all carry guns, and I have worked with computer clusters where every sys admin has an assault rifle on their shoulder, just in case.

There is also a policy question. These machines are probably owned by your employer, as is the data on them. Protecting the data against your employer is likely a violation of your employers policies (if they find out, you may get fired), and might actually be a crime. Talk to your boss about this.

 

[hruodr]

What are you worried about? A person physically getting control of the hardware. That's the worst kind of attack, because at this point the attacker can do pretty much anything, and the only thing that will save you is having only unintelligible (meaning: encrypted) data on the machine.

Not everyone want to have the server at his home/office/company. How much can we trust providers offering servers? VPS, dedicated servers or whatever they call them? How we must deal with their products?

I think this is more a question of business ethic that technic.

 

[ShelLuser]

what dou you recommend guys?

Ask the boss or manager for a locked server room and request that only they and you get the key?

I can't understand why you'd ask us instead of directing this question where it belongs: at your work environment? Also: a generic PF environment? That doesn't sound healthy! I mean, if you want to be paranoid then the easiest way to "try" a server is to reset it ("oops, sorry, I pushed the wrong switch!") and immediately after run a scan of some sorts.

Sorry, but solely basing myself on your post I can see why your boss might not approve. I wouldn't either to be perfectly honest with you. Putting more faith into random Internet strangers than the people who this directly concerns? errrr, that wouldn't fly with me very well. Not at all. Remember who's paying for all this and who's interests you're supposed to take care off.

Not everyone want to have the server at his home/office/company. How much can we trust providers offering servers? VPS, dedicated servers or whatever they call them? How we must deal with their products?

Simple: SLA. You get what you pay for and can check the whole kaboodle up front. If there's something really sensitive leaking then you'd have all the options you'd need to charge them for violating their own SLA.

But then again, if things are really as dire as you're now claiming you wouldn't settle for a regular VPS in the first place but instead set up your own agreements. Sorry to say but IMO you're raising a non-issue here.

 

[richardtoohey2]

I dont trust in the physical access security on my work,and fear to one day some guy restart the server

I'd agree with what the others are saying - this is not your problem, and you are skating on thin ice with trying to control your employer's assets.

This is your employer's problem. Make your concerns known, in writing, but it's your employer's call as to what security measures they take.

If you feel that strongly that their approach is wrong - then this isn't the employer for you.

Appreciate you are trying to do the "right thing" but I don't think you are going about it the right way.

 

[SirDice]

I got 6 FreeBSD servers

This is probably the crux of the problem. As others have already noted, they're not yours, they're owned by the company, i.e. your boss. You may feel like they are yours, because you've built them, and probably cared for them for a long time, but they are not yours. Honestly, many years ago I ended up with a severe burnout because of this same attitude. Let it go. Either follow the direction your boss is giving you or quit if you can't agree. Seriously. Don't let it eat you away from the inside out, it's not a happy place I can assure you.

 

[ralphbsz]

Not everyone want to have the server at his home/office/company. How much can we trust providers offering servers? VPS, dedicated servers or whatever they call them? How we must deal with their products?

The OP seems to have his servers at the office, some in racks, some under desks. That's an environment where it is theoretically possible to provide security, both physical and networking. In practice, doing so is very very hard. You have to guard against downtime events (like fire sprinklers going off by mistake), against boring theft (my wife's office was shut down once because thieves outside the building stole the copper wires that deliver power), against interesting theft (a colleague at work once had a rack-mount server stolen while it was running simulations for him ... embarrassingly the thief brought me the server, still warm, an hour later, thinking they had done me a favor by retrieving an old server from the data center, and by mistake picked the wrong rack), and targeted theft. About 20 years ago, I learned in a security class that the price of a laptop owned by a senior Silicon Valley engineer or director/VP on the black market is about 1/4 million $, because it is likely to contain data that can be sold (which is why today all laptops have encrypted disks, and most companies run completely data-less, where data never is stored in movable devices).

People who are serious about security do have armed guards at the edge of the building. I think the OP is fooling themselves if they think that a little bit of geli is going to make a significant difference against a targeted attacker.

Networking safety is even harder. The OPs servers are likely connected to the world-wide internet. And unless they have a highly professional networking staff, that is probably a giant open hole.

Now, how does this work when your servers are physically not at your plant (or home)? Actually, on average better than what people do at home. If for example you rent something (be it just CPU time, or a virtual server, or thousands of physical servers) from a place like AWS or competitors, you can be sure that "they" have thought about security. And when I say "they", I would bet that the security departments at places like Amazon/Google/Microsoft have thousands of people whose only day job is making sure that their customer's data is safe. One of the key ingredients is encryption of data at rest and in transit, usually with multiple layers (the customer's own, and the provider's on top, and on wires or disks another hardware layer).

 

[hruodr]

Now, how does this work when your servers are physically not at your plant (or home)? Actually, on average better than what people do at home.

But at the end, trust is still necessary, also trust that agreements are complied.

But then again, if things are really as dire as you're now claiming you wouldn't settle for a regular VPS in the first place but instead set up your own agreements. Sorry to say but IMO you're raising a non-issue here.

I do not understand what are you speaking about. I did not judge anything or anyone, I just
stated questions, questions that any prudent person could and should ask himself.

 

[wolffnx]

sorry for the delay

SirDice , you rigth , over the years (15) working in a governmental building, I started alone , start with user support and for there the network,the infraestructure and all for myself, learning ,testing and error of course
the last change was learn FreeBSD and migrate all the Linux firewalls,proxys and network services(samba,web,etc).
The 6 servers are locating in diferent buildings,and never stop improve all,without orders of my boss or nobody
so I take all personal,but like you say, it's not a good place to stay(in my mind), so..yesterday I release all
the only thing I can do is from time to time check the logs for a local intrucion, nothing more

ShelLuser the thing was that I am the only who thinks in security , like you suggested , also biometrical access points to
enter the datacenter, but , "they" wont care, at least when everything is working fine , but, now is not of my concern
(for my own healt I follow the SirDice advice)


hruodr yes, I start it at tecnical question but at the final I realized that is more a ethic question

 

[richardtoohey2]

Good luck!

Sometimes you can end up so focussed on dealing with every low-level detail of something and you really need to zoom back out (more!) and see the "big picture". And figure out if what you are doing is right/healthy for all the parties concerned.

I can imagine it is stressful - knowing what needs to be done but being unable to do it - so it might be difficult to let go. You want to do what is right. Might take a bit of time & effort to re-flow your thinking - "not my problem".

 

[wolffnx]

Good luck!

Sometimes you can end up so focussed on dealing with every low-level detail of something and you really need to zoom back out (more!) and see the "big picture". And figure out if what you are doing is right/healthy for all the parties concerned.

I can imagine it is stressful - knowing what needs to be done but being unable to do it - so it might be difficult to let go. You want to do what is right. Might take a bit of time & effort to re-flow your thinking - "not my problem".

Exactly!!, thanks for your words and advice , there is no place like this forum