Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We have a server in our office that has sensitive data on it. We'd like to put as many layers of protection on this as we can - including encryption and protection from network-based attacks - but the issue we're facing at present is physical security. We want to make it as hard as possible for someone to walk off with this machine.
Is there a company that builds computers with physical security in mind? Servers that you can, say, bolt to the floor? Hard drives that can't be removed without special tools?
We have a server in our office that has sensitive data on it. We'd like to put as many layers of protection on this as we can - including encryption and protection from network-based attacks - but the issue we're facing at present is physical security. We want to make it as hard as possible for someone to walk off with this machine.
Is there a company that builds computers with physical security in mind? Servers that you can, say, bolt to the floor? Hard drives that can't be removed without special tools?
Haven't we been here before?
Not aware of any company doing it, but you're not asking for anything you can't solve with a trip to the hardware store. Take your server case, drill a hole in the bottom, and shove a big bolt through it. There you go...a server you can now bolt to the floor. How about an alarm you bolt to the case too? http://www.amazon.com/Targus-PA400U-.../dp/B00000J3UJ
I'd recommend the use of good concrete anchors and thread locker on the bolts, in order to increase the amount of work necessary to remove them. Typically, thread locker will force the use of a small blow torch before hand tools could have any effect. At that point, it might be easier to just cut through the computer case and extract the drive.
That said, could you clarify as to what exactly you're protecting here? Sometimes I read your post and it sounds like you're adding a layer of security on top of the encryption (as in, even though the drive is encrypted, you still want to make it difficult for them to take off with the encrypted data). Other times, it sounds to me like you're actually trying to protect the hardware itself from being stolen.
We don't care about the hardware itself, just the data on it. We (my company) are actually pretty satisfied with just the encryption but our clients would sleep a little better at night if we could (truthfully) tell our clients (the owners of the data) we have some kind of protection against physical theft.
I spent 23 years in the USARNG, 17 were in security and intelligence.
The general standard we used might be a good guide:
1. if it is connected to anything else, it is not really secure.
2. if it is not behind a lock, it is not secure.
3. if there is not an armed guard present, aware, able, and prepared to prevent anyone unauthorized from OPENING THAT LOCK then it is not secure.
As soon as anyone has access to the machine, physically or over a network, they may gain access to the data on that machine. It really does not matter if they INTEND to or not, once the data is out of your control you cannot get it back. If you want it really secure, you need to lock it down from physical and remote access and place a guard on it to ensure that no one has an opportunity to bypass that lock-down.
I have no idea what your real security requirement is, or what level of security would be justified in your case. Chains and padlocks are not expensive solutions, but they mostly protect things from friends and those who are reasonably law-abiding in the first place. If someone has access and a little time, physical restraints alone are not protections.
On the other hand, several layers of locks, doors, and protections would deter any but the most dedicated snooper. Your inside man (like the dishonest janitor or guard) is unlikely to carry a gas torch and hacksaw blade to work without raising suspicion.
Your best solution may be to secure this machine in a place difficult to reach, where no one normally goes, that can only be reached by passing through levels of security, and may be under continuous remote observation. It makes it difficult for anyone to get TO the machine, more difficult to remove it, and nearly impossible for them to remove it without being noticed, recorded, and caught in the act.
Puzzlingly, a lot of these server cabinets don't say whether they were designed with physical security in mind, and sometimes the product will look lockable and then a reviewer will say that it's not really all that lockable. I didn't think this was such an unusual need.
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards. — Gene Spafford
you should be more concerned about someone getting console access than taking the box itself....
bolting it down, etc is easily rectified by a hardware store.. grind off bolts, drill out screws, etc...
but really if it is running encryption that is great as long as it takes an outside force to unlock the encryption...
ie - physical person must enter the encrypt password on reboot..
if the system boots up and encrpytion is unlocked automatically, good luck protecting that.. sure it might protect against someone stealing the hard drives and booting into service on another machine ,etc..
but its pretty easy to boot on a Live media, Rip apart the initrd, get a root shell prompt, strace or gdb the init program ,grab the crypt keys, mount the drive and there goes your data....
I have to deal with this very thing in the worst way, because I sell a product that uses Linux on a flash card, and on that runs proprietary software that needs protected from illegal copy... but in my case every user has physical access to the server....
if you want to feel pretty safe about the physical security that should help. it is made for computers and they range from 700-1600 lbs depending on how big you need
if you want to feel pretty safe about the physical security that should help. it is made for computers and they range from 700-1600 lbs depending on how big you need
Wow, that's some pretty neat stuff right there. Thanks for the link.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
