On Wed, 18 Jul 2012, Edward Ned Harvey wrote:
From: [email protected] [mailto:[email protected]]
Sent: Wednesday, July 18, 2012 2:08 PM
You may want to point out to your security team that being able to share a
drive, but not having enough connectivity to run a cluster filesystem is
security theater,
hehehehe... How do you open that conversation, "Um, excuse me, security
guy, you should give me access to something you're blocking, because this is
just security theater..." ;-)
The only *actual* way to make that change is to go over somebody's head, and
by the time you get to the CIO, he's pissed off that you're wasting his
time...
I'm actually on both sides of this conversation on a regular basis.
"If you allow X, it doesn't do any good to block Y"
sometimes the result is, "we should stop doing X" sometimes it's "we
should stop prenting Y", and sometimes it's just slamming your head
against the wall :-/
It depends on the justification fro doing X. If there is a good
justification for that, then the fact that it makes doing Y meaningless
should have been considered when the decision was made to do X. If not, a
good security person will welcome the discussion and try to balance the
benefit of allowing X vs the risk of allowing Y
sometimes (far too frequently according to some people I argue with :-)
the result is "yes, X is a hole, but we hope to fix it someday and so we
don't want to unleash Y as that will give us two things to change later
instead of just one", but if you get this answer, you need to be aware
that your permission to do X is one audit finding away from being blocked,
so you should probably start thinking of other ways to do it.
I know the fad nowdays is to have one huge SAN, but if you allow that SAN
to go across networks that you firewall off from each other, you really
need to think about it a bit more.
how confident are you that a bad guy on one box isn't going to be able to
feed commands to the SAN to gain access to a drive that you are using on
another box? If the bad guy can modify your filesystem, you are lost as
they can change the binaries that run as priviledged users to do anything
they want to, and they can bypass any restrictions on accessing sensitive
data.
Yes, some SAN equipment has the equivalent of primitive packet filtering
and ACLs controlling which box can access which device, but it's not that
well tested, and very few shops bother to set it up.
The example here, where the two machines can both access the same drive,
but can't talk to each other on the network is a perfect example of a big
gaping hole that doesn't make sense. Either both should be blocked, or you
should be able to open up the network as well.
David Lang
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
