[Cialug] Lots 'o questions....

Josh More morej at alliancetechnologies.net
Thu Jan 15 16:08:57 CST 2009


I pretty much agree with what's said here.  I only have two things to
add:

1) RAID is intended to protect against hardware failure.  For what
you're describing, you're better off buying a NAS that supports rsync
and setting up jobs to rsync all your important boxes to the NAS.  Then,
when your house catches fire, you just grab the NAS and run.  You'll
have all data and configs and have to worry about rebuilding RAIDs. 
Remember, those that do backups cheaply get what they pay for.

2) Virtualization software is somewhat equivalent to switches at a
logical and security level.  (It's not a perfect analogy, I know, that's
not the point.)  They're about as secure as switches were when they'd
only been on the market for two years.  They do the job, and they do it
well.  However, you need to be aware that there ARE risks and you can
only mitigate them so far.  Best practice for Enterprise-level
virtualization is to only put VMs of like security context on the same
hardware.  That's not affordable for the home user, so you have to
accept some risk.  Odds are that you'll be fine, but be sure to harden
your systems as best you can and update ALL systems regularly.  This
includes the VM software and the host.



-Josh More, RHCE, CISSP, NCLP, GIAC 
 morej at alliancetechnologies.net 
 515-245-7701

>>> "Daniel A. Ramaley" <daniel.ramaley at drake.edu> 01/15/09 3:51 PM >>>
If you intend to be able to move RAIDed drives to another machine and 
still access them, i'd suggest reevaluating the hardware RAID decision. 
With hardware RAID, if the RAID controller isn't identical (same 
hardware and firmware revisions), there is no guarantee of it working. 
Software RAID is a bit more flexible; as long as you have a kernel 
version that is close it should be possible to read another system's 
disks. If you're really thinking of needing to remove RAID disks and 
make them work on another machine, i'd advise doing a lot of testing 
and playing with it prior to loading any data onto the RAID. Also, 
remember that RAID is not a backup. While there are certain hardware 
failures that RAID will protect you from (motherboard or controller 
failure being notable exceptions), it will not protect you from 
software or user errors (rm -rf ...).

As far as the VM issues, more attacks against VMs are being discovered 
all the time. Running things in a virtual machine is adding more layers 
of software, so of course it will be overall less secure than running 
on bare hardware. But for many applications the marginal difference in 
security is a worthwhile tradeoff to get the benefits that 
virtualization can give (fewer machines, lower overall power use, 
etc.). For a home server i'd say go ahead with virtualization, but just 
be sure to keep up to date with security patches. But you should do 
that anyway, especially if running internet-facing services.

On Thursday January 15 2009 15:36, jrnosee at gmail.com wrote:
>Awesome.  I think that gets most of what I wanted to know.
>
>on the
>If it's a RAID mirror then... maybe. Are you planning to use the linux
>software RAID driver? Get familiar with the mdadm commands. If you're
> using a hardware RAID controller, then being able to rebuild your
> RAID sometimes depends on having a compatible controller available.
>
>It's probably going to be a hardware RAID...I think.  I know once upon
> a time just having a controller card didn't always mean it was a full
> hardware RAID.  I bought a cheap SATA controller (probably Silicon
> Image based) some time back that I'll probably use, but I forget it's
> capabilities.  I guess my question was whether or not I could access
> the files without rebuilding the RAID or if it's even possible (i.e.
> just plugging the one drive I grabbed into say an eSATA port on
> another computer...worst case would be if all I had was a basic
> windows computer available to me.  Say, at my parent's house.).
>
>And on:
>Yes and no. Using a VM offers other vectors of attack... for instance
>someone has demonstrated reading information directly from the CPU
> buffers between VM's on the same machine.
>
>Is this something that can be executed from the exposed VM, or on the
> host machine, and by exposing a VM am I inherently exposing the host?
>
>Thanks again,
>
>Justin
>
>On Thu, Jan 15, 2009 at 3:12 PM, David Champion 
<dchampion at visionary.com>wrote:
>> I can offer answers on some of these... see replies inline...
>>
>> -dc
>>
>> jrnosee at gmail.com wrote:
>>> I've decided to take on a new endeavor and I'm looking for any
>>> thoughts, suggestions, tips, etc. I can get.
>>>
>>> I'm going to set up a box running Ubuntu (not sure if it will be
>>> server (or server w/ gui) or desktop yet).
>>>
>>> This box is going to be 2 things.
>>>
>>> 1.) VMware Server
>>> Currently this runs my NSLU2 "slug" embedded linux development
>>> environment.  I may also add a web/email server VM* (see below)
>>> 2.) Media File and Backup Server
>>> I'm going to set up a mirrored 500GB raid to hold multi-media files
>>> and backup files from my home windows pc's.
>>>
>>> The OS will either be on a separate drive, or the same drive as the
>>> VM's. The RAID will be a share as a whole (unless suggested
>>> differently).  I want to make as much room available to this share
>>> as possible.
>>>
>>> My primary questions involve the RAID as I've never set one up
>>> before. There are 2 things I'm hoping the raid can do for me, but I
>>> don't know if it can, or how to set it up.
>>> 1.) Pull 'n go in an emergency.  You know, the house is burning
>>> down and I have time to grab...one drive tray from the server.  If
>>> I pull out one of the two raid drives and my house goes up in
>>> flames, can I just stick the drive in another computer later as a
>>> single drive and get my files back?
>>
>> If it's a RAID mirror then... maybe. Are you planning to use the
>> linux software RAID driver? Get familiar with the mdadm commands. If
>> you're using a hardware RAID controller, then being able to rebuild
>> your RAID sometimes depends on having a compatible controller
>> available.
>>
>>  2.) Windows/Linux accessable.  I'm going to be sharing to a Windows
>> PC.  I
>>
>>> want the linux OS to be able to read the drive too.  I'm going to
>>> have large (4+GB) files on it and I know FAT32 won't go that big. 
>>> Should #1 happen, I may want to get at these files from a Windows
>>> PC.
>>
>> The store's local filesystem format is irrelevant, you only care
>> that the network file share is readable... which will probably
>> either be Samba or NFS... unless you want to make an iSCSI share or
>> something like that. Probably best to use a linux native fs, like
>> ext3.
>>
>>  My other questions involves Security & VM's.
>>
>>> 1.) If I open up a VM to the web for webhosting and email, are my
>>> other VM's and my host OS still safe from attack?  Sadly for years
>>> I've pretty much sat myself behind a router firewall and lived
>>> happily...I doubt that'll be enough sooner than later.
>>
>> Yes and no. Using a VM offers other vectors of attack... for
>> instance someone has demonstrated reading information directly from
>> the CPU buffers between VM's on the same machine.
>>
>>  Odd question out:
>>> Going along with #2 from the RAID questions, is there any format I
>>> can use on a portable drive that would store large (4+GB) files,
>>> and be readable and writable in Linux and Windows?
>>
>> The linux fuseblock driver should be able to read & write NTFS (I've
>> been using it without any issues). You can also get linux filesystem
>> drivers for ext2 & 3, reiserfs and probably others for Windows. If
>> you're worried about being able to plug it into any random Windows
>> box and read it, you'll probably want NTFS.
>>
>>  Thanks,
>>
>>> Justin W. Richeson
>>> -------------------------------------------------------------------
>>>-----
>>>
>>> _______________________________________________
>>> Cialug mailing list
>>> Cialug at cialug.org
>>> http://cialug.org/mailman/listinfo/cialug
>>
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug

-- 
------------------------------------------------------------------------
Dan Ramaley                            Dial Center 118, Drake University
Network Programmer/Analyst             2407 Carpenter Ave
+1 515 271-4540                        Des Moines IA 50311 USA
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug



More information about the Cialug mailing list