Thank you! On November 20, 2018 2:24:55 PM EST, Nick Holland <n...@holland-consulting.net> wrote: >On 11/20/18 11:43, Chris Bennett wrote: >> I am almost certainly going to be replacing with a new server for an >> organization I am a member of. >> With all of this mess with Meltdown, Spectre, insecure motherboard >> chips,etc. >> I am pretty clueless on exactly what is going to be a secure set of >> server hardware. >> Intel, well no. >> AMD? I have read about problems with non-CPU chips being compromised. >> Another architecture? I have never used anything other than >Intel/AMD. >> >> The server will run httpd, mailserver, PostgreSQL and somehow a good >way >> for well encrypted messaging at times. > >all on one server? > >And as someone who has run a number of mail servers for a number of >companies ... don't. Just don't. Running your own mail server is a >good way to accomplish nothing except wasting a lot of time and making >people hate you. > >> It is very likely to run out of Austin, Texas. >> I think that having a direct connection would be best, but would a >> proper setup make collocation OK? > >You are using poorly defined buzzwords. What you mean by a "direct >connection", "proper setup", "collocation" and what I mean are likely >very different. > >> This isn't going to be my server, I will just be in charge. That's >> completely new for me. >> Any advice is really welcome, everywhere I read anything, hardware >seems >> broken and insecure. > >Pretty much all new HW is optimized in ways that we are now learning >(and has been known for a long time) introduce security problems. >However, most of the problems boil down to having malicious software >running in the control of someone else on the same physical machine >YOUR >code is running on. > >In short: No news. Really. > >If someone that wanted to do you evil lived in the same house as you, >you would not be comfortable, right? What if you put up walls >(virtualization) that have proven to to be about as robust as paper? >That make you feel any better? Probably not. Virtualization has been >proven -- over and over -- not terribly secure. Now we got >cross-virtualization platforms ways of stealing data from other >processes. Important? yes. But in the big picture, it's similar to >Yet >Another buffer overflow. > >So...split your tasks on different physical systems as much as >possible. >If your webserver is serving static pages, it's probably pretty robust. > If it's running Wordpress or any other "any idiot can manage the web >page" apps or dynamic web pages for other reasons, it should be a >machine of its own and have no other important data on it. >Your primary goal should be to keep the bad guys off your computer in >every sense. And again...nothing new here. > >But if security is your concern, you want real hw you control in every >sense. > >Unfortunately, if you have performance requirements, your choices are >AMD and Intel. Older Intel and AMD chips aren't getting any support to >deal with these problems, so your choices are incredibly old chips >which >are probably not in the most reliable hardware, and a whole bunch of >other old, unreliable, and slow hardware platforms. But be realistic. >Your bosses will probably mandate a VM on someone else's hw, a >wordpress >website, one box for everything, and that you give him the root >password >which he'll e-mail to himself to keep it "secure". Your most likely >breach points will be an easily guessed password (usually, a >manager's), >a bug in a web content management system, or someone believing that >"secure e-mail" is a thing. In other words, Same Old Shit. It >probably >won't be breached by a Spectre or Meltdown-like attack. But it MIGHT >be. Obsessing about them is generally missing the real day-to-day >risks. > >Nick.
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
