There is the convenience issue of the speed that the image transfers
across the network.
There is also the issue that infected workstations may be collecting
passwords.
My suggestion would be to use the harddrives in the workstation to store
the boot images, and have the minimal operating system on some sort of
USB device or something that the employees can take home with them, and
carry around etc.
The employee can then..
1. plug in the USB device
2. boot the machine
3. enter device password (to decrypt the rest of the device)
4. the USB device should then be removed
5. enter the network username and password (remote authentication)
6. select which operating system to boot to
- now the system checks the hash of the selected image,
and submits it to a central server for approval
- if image is approved, the system is booted
- network mounts are mounted based on user policy etc
Workstations would then need to be locked down, allowed only to ever
boot to the USB device or whatever, and might employ some bios tricks to
only boot devices that have been signed etc. A decent chassis alarm
system would also need to be in place to avoid tampering. Network
topology should also be static, and trigger alarms if anything is changed.
It would then be up to the sysadmins to keep the images up to date (not
just security-wise, but also with the latest software).
If the employee is working with sensitive information (that the
sysadmins should not have access to), the data should all be stored in
an encrypted state on the remote filesystems, and decrypted on the fly
on the workstation when needed.
problems that may still exist:
1. weak sysadmin security policies
2. weak add/remove/refresh user policies
3. weakness in the encryption protocols
4. USB devices can be cloned
1 and 2 can be mitigated with strict rules and a positive work
environment, and proactive education (preventing bribes/social
engineering etc). 3 is the fault of the cryptanalysts, and 4 can be
dealt with by using devices with non-readable sections and on-board
crypto (like a smartcard etc).
Different things can be enforced more or less based on paranoia levels,
but I would say this system is reasonably simple, and prevents most
nastiness, and could even remain pretty stable if the images were not
updated frequently. With using old images, there is the chance of worms
infecting the workstation in the morning, but a decent IPS should
prevent that, and it would be much easier to clean up later.
Also employees might use recent attacks against eachother to gain
information on other employees that they do not have access to. IPS
should see this though, and if you are really worried, you can make it
so all writable directories that a user has are mounted without execute
permissions or something.
The user experience is not much more complicated than most current
setups, and I believe this does go pretty far to protect the
workstations from pretty much any sort of malicious tampering, which was
the goal I think.
- DEAN
マグロ原子 wrote:
> In-Reply-To: <4509C2FE.8020104@xxxxxxxxxxx>
>
> I don't really see the point... Possible vulnerabilities (if I didn't
> horribly misunderstand something):
>
> *The AFS server would still need to be updated to keep it secure.
> *If the imaged OS is rootable:
> **The AFS clients that load the images could be replaced by phishnets.
> **The attacker could pose as the user having access to Kerberos
> credentials. (So rm -r / would delete the users "securely kept files")
>
> Or do users only have read-only access to their files?? That doesn't
> seem useful.
>
> Nyoro~n
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/