Protecting encryption server
Robert J. Hansen
rjh at sixdemonbag.org
Tue Jul 28 22:38:25 CEST 2020
>> Oh, quite the contrary. It just forces the attacker to get clever.
>
> If your server only sends data through an "outgoing data diode", then it
> does not expose any entry point (you just disable all services : no SSH,
> no ping, no HTTP... nothing). There is no way you can establish a
> connection to the server. How can you hack a server if you have
> absolutely no way to access it from the outside ? It seems just impossible.
The data diode is a one-way link, yes. But there are so many ways to
gain access to machines that putting too much faith in a data diode to
protect your systems is deeply foolish. A data diode can make *one
particular link* a one-way data link. That's genuinely useful in the
context of a complete security solution that looks holistically at the
threat.
But no, they don't make a system unhackable.
Lateral movement through networks is a thing. Look into it. :)
More information about the Gnupg-users
mailing list