The High Cost of On Premises Infrastructure
-
@scottalanmiller said in The High Cost of On Premises Infrastructure:
@Dashrender I've never tried this, but just thinking about it, no matter what is on a USB stick, I don't know that any ESXi, Xen, KVM or Hyper-V environment would react to the USB stick at all, or maybe just acknowledge that it exists. I'm not aware of any situation where they would "see" the files on the device. Obviously you can protect against this by blocking USB access on the hardware, you can stop the disk drives from being used, too.
But assuming that those things have been missed, I'm interested in where you've seen this threat and what has caused you to be concerned about it.
As you said, it's not real concern, you're much more likely to be breached like this in a SMB shop. As I said "move along, Move along"
-
@Dashrender said in The High Cost of On Premises Infrastructure:
@scottalanmiller said in The High Cost of On Premises Infrastructure:
@JaredBusch said in The High Cost of On Premises Infrastructure:
@NetworkNerd said in The High Cost of On Premises Infrastructure:
@JaredBusch said in The High Cost of On Premises Infrastructure:
The two biggest arguments that always have to be addressed are
- speed of access to file shares
- access to the client/server LoB app used now.
You normally flippant answer of don't use them is not the acceptable answer to the business principles that make the decisions. Yes, times are changing and WAN speeds and new technologies are moving things, but these two points have to be properly addressed to make any kind of realistic move to colocation for the SMB space.
Couldn't we throw regulatory compliance in there too as a consideration?
https://www.truevault.com/blog/hipaa-physical-safeguards-explained-part-1.htmlNot IMO. Because colo means the data is never in anyone else's hands.
And you can encrypt the entire colocation platform, so that physical extraction is not a direct concern as well. Someone stealing hard drives or even full arrays would be useless to them.
I'm less worried about physical theft than I am about someone plugging a USB stick in and infecting the host, etc.
How is that any less safe then your office building? You have patients coming in and out all day, contractors, maintenance, etc etc etc. You don't know who is in your building and who could, just as easily, plug a USB stick in to a host.
A colo knows exactly who is in their building, many have biometric security and pressure sensitive pads to prevent piggy backing.
-
@scottalanmiller said in The High Cost of On Premises Infrastructure:
@Dashrender said in The High Cost of On Premises Infrastructure:
I'm less worried about physical theft than I am about someone plugging a USB stick in and infecting the host, etc.
Infect it how? Can you describe this attack vector? When you plug a USB stick into a server, assuming that you have been breached in a datacenter to this level which is essentially unthinkable, and assuming that you've not disabled the USB ports, what would cause the files on the USB stick to be executed, or even mounted?
Dont you watch House of Cards?
-
@Dashrender said in The High Cost of On Premises Infrastructure:
@scottalanmiller said in The High Cost of On Premises Infrastructure:
@Dashrender said in The High Cost of On Premises Infrastructure:
I'm less worried about physical theft than I am about someone plugging a USB stick in and infecting the host, etc.
Infect it how? Can you describe this attack vector? When you plug a USB stick into a server, assuming that you have been breached in a datacenter to this level which is essentially unthinkable, and assuming that you've not disabled the USB ports, what would cause the files on the USB stick to be executed, or even mounted?
Yeah I forgot about disabling the USB ports - so this should be a non issue. Never mind nothing to see here.
But even if you didn't, is there an attack vector? How could you get something to execute if the USB was accidentally exposed?
-
@bigbear said in The High Cost of On Premises Infrastructure:
@scottalanmiller said in The High Cost of On Premises Infrastructure:
@Dashrender said in The High Cost of On Premises Infrastructure:
I'm less worried about physical theft than I am about someone plugging a USB stick in and infecting the host, etc.
Infect it how? Can you describe this attack vector? When you plug a USB stick into a server, assuming that you have been breached in a datacenter to this level which is essentially unthinkable, and assuming that you've not disabled the USB ports, what would cause the files on the USB stick to be executed, or even mounted?
Dont you watch House of Cards?
No and I'm guessing that this would make me want to avoid it?
-
@scottalanmiller said in The High Cost of On Premises Infrastructure:
@bigbear said in The High Cost of On Premises Infrastructure:
@scottalanmiller said in The High Cost of On Premises Infrastructure:
@Dashrender said in The High Cost of On Premises Infrastructure:
I'm less worried about physical theft than I am about someone plugging a USB stick in and infecting the host, etc.
Infect it how? Can you describe this attack vector? When you plug a USB stick into a server, assuming that you have been breached in a datacenter to this level which is essentially unthinkable, and assuming that you've not disabled the USB ports, what would cause the files on the USB stick to be executed, or even mounted?
Dont you watch House of Cards?
No and I'm guessing that this would make me want to avoid it?
They do get a lot of silly technical things wrong, but the story is generally pretty good.
-
@coliver said in The High Cost of On Premises Infrastructure:
They do get a lot of silly technical things wrong, but the story is generally pretty good.
To me this always says "the writers didn't take this seriously and don't think that I should."
-
@scottalanmiller said in The High Cost of On Premises Infrastructure:
@coliver said in The High Cost of On Premises Infrastructure:
They do get a lot of silly technical things wrong, but the story is generally pretty good.
To me this always says "the writers didn't take this seriously and don't think that I should."
What is the point in paying for a quality technical consultant to assist the writers when the target audience has no idea what anything is anyway?
Too many people get caught up in the weeds and deride things because of minor details and forget to pay attention to the story.
Now, that said, I have no idea how this show is as I have never watched it.
Also, if the tech is too blatantly wrong, then I will lose my suspension of disbelief and thus not like the show. But generally it has to be really bad for that.
-
@JaredBusch said in The High Cost of On Premises Infrastructure:
@scottalanmiller said in The High Cost of On Premises Infrastructure:
@coliver said in The High Cost of On Premises Infrastructure:
They do get a lot of silly technical things wrong, but the story is generally pretty good.
To me this always says "the writers didn't take this seriously and don't think that I should."
What is the point in paying for a quality technical consultant to assist the writers when the target audience has no idea what anything is anyway?
Too many people get caught up in the weeds and deride things because of minor details and forget to pay attention to the story.
Now, that said, I have no idea how this show is as I have never watched it.
Also, if the tech is too blatantly wrong, then I will lose my suspension of disbelief and thus not like the show. But generally it has to be really bad for that.
It's never that bad. They get some of the minutia of US politics much worse then they do the technical aspects in general. The story is actually pretty good, and Kevin Spacey does an excellent job as a sociopath. It's on Netflix highly recommend the first and second season (all I've had time for).
-
My servers are in cage with 5 racks. The space my servers is in is part of a half rack rental.
So it is certainly possible that I could attempt something malicious once in. But that is very easily trackable.
-
@JaredBusch said in The High Cost of On Premises Infrastructure:
Also, if the tech is too blatantly wrong, then I will lose my suspension of disbelief and thus not like the show. But generally it has to be really bad for that.
Swordfish anyone?
-
@JaredBusch said in The High Cost of On Premises Infrastructure:
What is the point in paying for a quality technical consultant to assist the writers when the target audience has no idea what anything is anyway?
I also take "don't take it seriously" as another way to say "I'm not the target audience." I'm not saying it's a bad business decision, just saying that I'm not their target audience.
-
Its actually one of the best shows on.
The data center thing was a setup anyway, some FBI guy wanted him to get caught. As soon as he connect the USB drive he is arrested.
-
I mean, short of a Mission Impossible-style rappelling from the ceiling kinda thing, it'd be awfully tough for Average Joe Hacker to waltz into a data center and plug a malicious USB in. Key cards, cameras, security guards, etc. are all something they'd have to pass through to get to the hardware.
My favorite, absolute favorite, thing is MANTRAPS.
-
@ChrisL said in The High Cost of On Premises Infrastructure:
I mean, short of a Mission Impossible-style rappelling from the ceiling kinda thing, it'd be awfully tough for Average Joe Hacker to waltz into a data center and plug a malicious USB in. Key cards, cameras, security guards, etc. are all something they'd have to pass through to get to the hardware.
My favorite, absolute favorite, thing is MANTRAPS.
Not to mention that they would have to get in, then identify how to get to the right customer's equipment, then figure out which of that equipment was the one that they were there to target. It is layer after layer of complexity to do this kind of attack - any kind of physical attack in this sort of environment. Just getting in the door, which you could potentially do with a tank, isn't enough. You still have to find the target. I've been in many a datacenter and figuring out which server is which is pretty hard in the sea of machines. They all look about the same.
Sure if you've been in there loads of times, know exactly where it is, know exactly what you are looking for it is one thing. But this requires more and more nearly impossible situations.
Whether it is colocation or even corporate datacenters, I have almost never had access to get to the equipment personally - and I'm normally the senior-most technical person overseeing those systems. It's not like you could grab any casual IT person and have them identify equipment for you.
-
@scottalanmiller said in The High Cost of On Premises Infrastructure:
@ChrisL said in The High Cost of On Premises Infrastructure:
I mean, short of a Mission Impossible-style rappelling from the ceiling kinda thing, it'd be awfully tough for Average Joe Hacker to waltz into a data center and plug a malicious USB in. Key cards, cameras, security guards, etc. are all something they'd have to pass through to get to the hardware.
My favorite, absolute favorite, thing is MANTRAPS.
Not to mention that they would have to get in, then identify how to get to the right customer's equipment, then figure out which of that equipment was the one that they were there to target. It is layer after layer of complexity to do this kind of attack - any kind of physical attack in this sort of environment. Just getting in the door, which you could potentially do with a tank, isn't enough. You still have to find the target. I've been in many a datacenter and figuring out which server is which is pretty hard in the sea of machines. They all look about the same.
Sure if you've been in there loads of times, know exactly where it is, know exactly what you are looking for it is one thing. But this requires more and more nearly impossible situations.
Whether it is colocation or even corporate datacenters, I have almost never had access to get to the equipment personally - and I'm normally the senior-most technical person overseeing those systems. It's not like you could grab any casual IT person and have them identify equipment for you.
Exactly. It'd be an Ocean's Eleven style heist just to get to the server and it'd have to be AN INSIDE JOB DUN DUN DUNNNNNN
-
@JaredBusch I think over the next 5 to 10 years as the cost of a 1Gbps connection comes down and the availability of 1Gbps increases, speed of access will be less of a concern.
-
@PenguinWrangler said in The High Cost of On Premises Infrastructure:
@JaredBusch I think over the next 5 to 10 years as the cost of a 1Gbps connection comes down and the availability of 1Gbps increases, speed of access will be less of a concern.
I'm not so sure. As speed and access go up so do file size and quantity. I think we're going to get to the point where we have to ask if it makes sense to have fat clients sitting on a desk, instead of zero/thin clients calling back to a desktop pool somewhere.
-
@coliver said in The High Cost of On Premises Infrastructure:
@PenguinWrangler said in The High Cost of On Premises Infrastructure:
@JaredBusch I think over the next 5 to 10 years as the cost of a 1Gbps connection comes down and the availability of 1Gbps increases, speed of access will be less of a concern.
I'm not so sure. As speed and access go up so do file size and quantity. I think we're going to get to the point where we have to ask if it makes sense to have fat clients sitting on a desk, instead of zero/thin clients calling back to a desktop pool somewhere.
I saw today that Google has a new algorithm that reduces JPEG file size by 35 percent. Would there be a practical implementation for something like that in the IT/data world that would effectively reduce file size? We're moving at a blistering pace in terms of shrinking the size of nearly everything.
-
@coliver said in The High Cost of On Premises Infrastructure:
@PenguinWrangler said in The High Cost of On Premises Infrastructure:
@JaredBusch I think over the next 5 to 10 years as the cost of a 1Gbps connection comes down and the availability of 1Gbps increases, speed of access will be less of a concern.
I'm not so sure. As speed and access go up so do file size and quantity. I think we're going to get to the point where we have to ask if it makes sense to have fat clients sitting on a desk, instead of zero/thin clients calling back to a desktop pool somewhere.
They do, but not at the same pace. For example, the size of a desktop document has gone up since 1997 by a bit, but maybe 2x at most. But the speed of a LAN connection in that time has gone up 1,000x from 1Mb/s to 1Gb/s. And we are on the verge of 10Gb/s to the desktop. And the WAN has gone from 128Kb/s to 100Mb/s in that time, a similar increase.
Sure file sizes have grown, but not proportionally to network speeds. Even things like movie sizes have not grown that much. In 1997 a DVD was 5GB. A BluRay today is 50GB. That's only 10x in two decades.
Not only does the network get faster faster, but compression helps to keep file sizes at bay.