[Linux-ha-dev] Heartbeat authentication [was Re: Heartbeat 0.45
experiences]
Crispin Cowan
crispin@cse.ogi.edu
Tue, 19 Oct 1999 22:13:20 +0000
Alan Robertson wrote:
> Steve Beattie wrote:
> > Which begs me to ask: what is the security model
> > behind the authentication scheme? What sort of threats are you
> > attempting to prevent by using it?
>
> Members of the cluster are given significant privileges with respect to each
> other. In the current implementation, one cluster member can say to another
> "give up this resource" and they will. This is immediate denial of service, and
> opens the door wide for the hacker to masquerade as a cluster member.
>
> The authentication is used for two reasons:
>
> 1) To prevent joe-hacker from telling our cluster to do
> something we don't want it to do through the wire.
>
> 2) To detect packets corrupted by "normal" network problems.
> so that we don't try and act on them.
>
> We run on IP media, and on raw serial ports. The raw serial ports have no
> protection against dropped/mangled characters except for the authentication.
>
> Basically, we've raised the bar for an intruder to gain control of the cluster
> through the software we've written. And, we believe we've raised it a good bit
> above the highly-vulnerable "I trust everything" level it started with. Not
> only that, but the serial ports needed it for checksums :-)
I'm still a little vauge on the threat model that you're considering. Is the
authentication to prevent an outsider from attacking one of the nodes in the
cluster? To prevent someone from masquerading as one of the nodes in the cluster?
Or to prevent the attacker from leveraging a crack into one of the cluster nodes
into total control of the cluster? They're all important, but crypto applies to
each case in different ways ...
Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org