Home > Uncategorized > Random: White Papers or How I learned to stop worrying and loved becoming a security engineer

Random: White Papers or How I learned to stop worrying and loved becoming a security engineer

I’ve been wanting to start writing white papers for a while. Well, not white papers; maybe run sheets or something.

Being a field engineer, or a consultant, I began to realize how important it is to have implementation papers (ah hah!) written to refer to. That’s what I wanted to do with this blog. But this medium is too unprofessional to actually refer clients or prospective employers to. In fact, my use of foul language, my slight touch of immaturity (solely to add a jocular flavor, never really the way I think) may put me at a disadvantage to prospective employers.

Anyway… this same client I’ve referred to in the past month multiple times, needs a encryption solution implemented. And, at this point (the project has been outstanding with my company for about a year 0: ), it needs to get implemented. The planned implementation of PGP Desktop failed. So, back to the drawing board. Wait… who’s doing the drawing? Holy shit ballzzz…. I’m doing the drawing. All of a sudden I found my client looking to me to be able to R&D a solution out of my ass in less than two weeks. Note that when I stepped through their door less 7 1/2 weeks ago, I had no experience with encryption. None. Nil.

The two solutions: content encryption, whole disk encryption are assigned the following phrases in the sales world… respectively: “power on protection,” “power off protection.” Catchy. Power on protection, meaning live data leakage; power off meaning theft/loss.

Here’s the quick break down:

1) Content encryption: Many many many vendors. File encryption. Client software needed to seemlessly intercept encrypted files, decrypt them (at the driver level), and present them to the applications. Client software detects encrypted files by looking at the file header at something called the Data Decryption Field. Software based solution.

2) Whole disk encryption: Many many many vendors. Encryption of the whole disk. Driver needed. Pre-boot authentication an added bonus; but pre-boot auth can usually be disabled (making it transparent, but present).

3) Full Disk Encryption via on-board encryption chip: 2.5″ SATA drives are available from two vendors Fujitsu, Seagate. Note that Seagate’s Cheetah SAS drives are not yet available. And when they become available, they will “only be available to major OEMs.”

4) Full Disk Encryption via a RAID Controller with : The only solution I found for this is PMC-Sierra’s PM8002.

Caveats:
Software: Due to encryptions randomization, big overhead when used on systems with high I/O (like a server). This is because the cache, a predictive technology, gets foiled and repeatedly flush. Only solution for

Hardware: I don’t know how this works yet. If the encryption/key/whatever-the-hell gets screwed up, what do you do? Replace it? I’m guessing you can integrate a cert from a smartcard or something.

Notes: Encrypted file portability with a complete hardware solution can be implement as such:
1) Use Disk2Go’s XKey Security edition (or another hardware based portability solution, like the FDE harddrives)
2) Implement either the full disk encryption via RAID, or on-board HDDs…
3) Create system-wide policies that: ONLY allows copying from the encrypted hard drives on the server to the encrypted medium (whether that be a USB key or “a laptop’s hard drive.”

From what I can tell, implementing hardware level encryption a server is bleeding edge. I hate bleeding edge. You don’t implement bleeding edge, because bleeding edge bleeds.

Well… the client decided they want to bleed their edge. So be it.

Actual option 1) Replace all their current server HDDs with Fujitsu’s 7200RPM drives (or seagate’s if their throughput is higher). (get image, image back)
Actual option 2) Install PMC-Sierra’s PM8002 RAID Controller. (get image, break RAID, build RAID, image back)

Actual option 3) Encrypted NAS/SAN. WHAT?! AHHHHHHHHHHHHHHHHHHHHHHH!!!!!!!!!!!! ;)


Note that Microsoft’s EFS is kinda doody; but there is free whole disk encryption (software) available for frees on Linux (TrueCrypt).

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: