On Wed, 2005-09-07 at 11:24 +0200, Axel Thimm wrote: > There is no way to "prove" what you want. Just go for second best to > the ideal theorem. You probably don't want GFS, but a hardened NFS > connection to the storage allocated within the secure network only. I'd do shared raw. If we know the computer on the secure network *never* writes to the disk and it has no possible way to establish a network connection to the outside world (via any means) then we only have to worry about the attacker somehow corrupting data to crash the application on the secure server. Make sure your reader application has a reliable way to verify the integrity of the data (possibly using some form of encryption like gpg) and you're golden. So, the would-be attacker would have to do the following to get data off the secure network: (a) Break in to world-facing server (b) Create data which will cause a malfunction in to the secret application on the secure server (without having access to said application; this is based on an outside job, not an inside job), (c) encrypt or sign the data so that the secure server trusts it, and (d) write the data out to the right offset on the raw device... In the "overflow code", the attacker would have to know where the data is stored, retrieve it, and write it out to the shared SCSI disk. Note that the above becomes much more difficult if you change the SCSI block device driver on the secure server to completely disable writes. ;) It also becomes more difficult if the secret application is audited for security flaws before being put into production. Just random ideas... *shrug* -- Lon -- Linux-cluster@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/linux-cluster
