Steve Beattie wrote:
>
>
> Also note that I am using md5 authentication, and good did not complain
> about bad's packets failing authentication (these would have shown up
> in the debug log). Which begs me to ask: what is the security model
> behind the authentication scheme? What sort of threats are you
> attempting to prevent by using it?
Members of the cluster are given significant privileges with respect to each
other. In the current implementation, one cluster member can say to another
"give up this resource" and they will. This is immediate denial of service, and
opens the door wide for the hacker to masquerade as a cluster member.
The authentication is used for two reasons:
1) To prevent joe-hacker from telling our cluster to do
something we don't want it to do through the wire.
2) To detect packets corrupted by "normal" network problems.
so that we don't try and act on them.
We run on IP media, and on raw serial ports. The raw serial ports have no
protection against dropped/mangled characters except for the authentication.
Basically, we've raised the bar for an intruder to gain control of the cluster
through the software we've written. And, we believe we've raised it a good bit
above the highly-vulnerable "I trust everything" level it started with. Not
only that, but the serial ports needed it for checksums :-)
We also think that we're in pretty good shape against replay attacks.
My experience says that when corrupted packets get through, they are logged and
ignored.
A thorough security audit would be welcomed.
-- Alan Robertson
alanr@bell-labs.com
>
>
> Also note that I am using md5 authentication, and good did not complain
> about bad's packets failing authentication (these would have shown up
> in the debug log). Which begs me to ask: what is the security model
> behind the authentication scheme? What sort of threats are you
> attempting to prevent by using it?
Members of the cluster are given significant privileges with respect to each
other. In the current implementation, one cluster member can say to another
"give up this resource" and they will. This is immediate denial of service, and
opens the door wide for the hacker to masquerade as a cluster member.
The authentication is used for two reasons:
1) To prevent joe-hacker from telling our cluster to do
something we don't want it to do through the wire.
2) To detect packets corrupted by "normal" network problems.
so that we don't try and act on them.
We run on IP media, and on raw serial ports. The raw serial ports have no
protection against dropped/mangled characters except for the authentication.
Basically, we've raised the bar for an intruder to gain control of the cluster
through the software we've written. And, we believe we've raised it a good bit
above the highly-vulnerable "I trust everything" level it started with. Not
only that, but the serial ports needed it for checksums :-)
We also think that we're in pretty good shape against replay attacks.
My experience says that when corrupted packets get through, they are logged and
ignored.
A thorough security audit would be welcomed.
-- Alan Robertson
alanr@bell-labs.com