In message <0100016b3e41b455-b95a3601-7822-4541-823a-6230f277bf1b-000000@email. amazonses.com>, Antonio Leding <t...@leding.net>wrote:
>Security: > >With some VMs, you will have complete root-level rights on >the server and can do what you wish in terms of server security. Yes. Quite. And believe me, I would -never- waste time on or trust in even the smallest way any VM that I DID NOT have root on. I already do have one VM "slice", and yes, I do have root on that. Traditionally, through the past 30+ years, and until quite recently, I've never placed -any- trust in any machine that I did not have immediate phsysical proximity to. And even now, I still view remote cloud servers with great skepticism, security-wise. The revelations, over that past year or so, of the multiple entire *waves* of x86 CPU security flaws... many of which still remain to be patched... have only underscored and reinforced my original skepticism. Having root on a VM is hardly insurance against anything, and wasn't, even before anyone even knew about all of these CPU bugs. How the hell do I know who has access to my storage volumes if they are in a data center a thousand miles away from me, being tended by people who I have never even met? So I approach remote VMs very very cautiously, and unlike various corporations that have jumped headlong onto the cloud bandwagon with both feet, I personally put as little of my data as possible on such things. And even then, you won't catch me putting anything on there that would cause me real problems if the data were exposed to the entire planet. Call me paranoid. Call me a luddite. But I sleep soundly at night. >I understand - and share - your concerns re: cloud-based mail security >but those issues are manageable if proper infosec is implemented. I disagree, and I believe that I even have evidence to the contrary. Anybody working in that same data center, or who has either direct or remote admin access to the whole thing can image your entire drive anytime they want.... and perhaps without you even knowing that it happened. We all hope that hosting company personnel won't go around doing this, willy nilly, or in lieu of a court order, but there are no guarrantees. Even though I may disagree with you about the security of cloud VMs, I'm still very glad that you spoke up anyway, because you've made me think a bit more about the problem I'm trying to solve, and I've just realized that there may perhaps be a whole different way to skin this cat. The bottom line is that really, I just want a (another) remote VM *only* (or primarily) for its static IP address... a static IP that's needed, generally although not necessarily absolutely, in order to run a mail server. Sooooooo... maybe what I really should be trying to figure out is how I can run a -single- instance of Postfix, down here on my (soon to be dynamic) end-luser broadband line, and just set up a VM at some fixed IP address that will be running some sort of a VPN or something that will just be, in effect, transparently proxying all of the inbound port 25 traffic to my (soon to be dynamic) DSL line. Will this work? Is anybody doing this already? If so, how do I set it all up? Regards, rfg
