I like turtles On Tue, Nov 20, 2018, 5:40 PM Josh Grosse <j...@jggimi.net wrote:
> Thank you! > > On November 20, 2018 2:24:55 PM EST, Nick Holland < > n...@holland-consulting.net> wrote: > >On 11/20/18 11:43, Chris Bennett wrote: > >> I am almost certainly going to be replacing with a new server for an > >> organization I am a member of. > >> With all of this mess with Meltdown, Spectre, insecure motherboard > >> chips,etc. > >> I am pretty clueless on exactly what is going to be a secure set of > >> server hardware. > >> Intel, well no. > >> AMD? I have read about problems with non-CPU chips being compromised. > >> Another architecture? I have never used anything other than > >Intel/AMD. > >> > >> The server will run httpd, mailserver, PostgreSQL and somehow a good > >way > >> for well encrypted messaging at times. > > > >all on one server? > > > >And as someone who has run a number of mail servers for a number of > >companies ... don't. Just don't. Running your own mail server is a > >good way to accomplish nothing except wasting a lot of time and making > >people hate you. > > > >> It is very likely to run out of Austin, Texas. > >> I think that having a direct connection would be best, but would a > >> proper setup make collocation OK? > > > >You are using poorly defined buzzwords. What you mean by a "direct > >connection", "proper setup", "collocation" and what I mean are likely > >very different. > > > >> This isn't going to be my server, I will just be in charge. That's > >> completely new for me. > >> Any advice is really welcome, everywhere I read anything, hardware > >seems > >> broken and insecure. > > > >Pretty much all new HW is optimized in ways that we are now learning > >(and has been known for a long time) introduce security problems. > >However, most of the problems boil down to having malicious software > >running in the control of someone else on the same physical machine > >YOUR > >code is running on. > > > >In short: No news. Really. > > > >If someone that wanted to do you evil lived in the same house as you, > >you would not be comfortable, right? What if you put up walls > >(virtualization) that have proven to to be about as robust as paper? > >That make you feel any better? Probably not. Virtualization has been > >proven -- over and over -- not terribly secure. Now we got > >cross-virtualization platforms ways of stealing data from other > >processes. Important? yes. But in the big picture, it's similar to > >Yet > >Another buffer overflow. > > > >So...split your tasks on different physical systems as much as > >possible. > >If your webserver is serving static pages, it's probably pretty robust. > > If it's running Wordpress or any other "any idiot can manage the web > >page" apps or dynamic web pages for other reasons, it should be a > >machine of its own and have no other important data on it. > >Your primary goal should be to keep the bad guys off your computer in > >every sense. And again...nothing new here. > > > >But if security is your concern, you want real hw you control in every > >sense. > > > >Unfortunately, if you have performance requirements, your choices are > >AMD and Intel. Older Intel and AMD chips aren't getting any support to > >deal with these problems, so your choices are incredibly old chips > >which > >are probably not in the most reliable hardware, and a whole bunch of > >other old, unreliable, and slow hardware platforms. But be realistic. > >Your bosses will probably mandate a VM on someone else's hw, a > >wordpress > >website, one box for everything, and that you give him the root > >password > >which he'll e-mail to himself to keep it "secure". Your most likely > >breach points will be an easily guessed password (usually, a > >manager's), > >a bug in a web content management system, or someone believing that > >"secure e-mail" is a thing. In other words, Same Old Shit. It > >probably > >won't be breached by a Spectre or Meltdown-like attack. But it MIGHT > >be. Obsessing about them is generally missing the real day-to-day > >risks. > > > >Nick. > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. >
