Theft precautions

[John Doe]

Hey there,

just some thoughs about authentication and theft precaution in general.
For me, a NAS should not only be a place to protect my data from loss, but it should also be safe when beeing stolen. I really like FreeNAS but security seems to be a little underestimated so far. All my private data from all my computers is stored on a single machine, so the least I need to do is to encrypt the file system which is not possible at this time with ZFS (I know it's on the roadmap, so no problem). Next is to think about other ways to access the data in case of a attempted data theft. If I would know the guy I want to steal data from is using FreeNAS, the simplest way to get his data is to plug a screen and a keyboard to the machine and use the shell. There has to be a simple way to secure the console menu with username and password and not just disable it (what if the network card fails?). Even if the data on the machine is encrypted, all I would need to do is to keep the power online (I could use a backup power supply) and take all the time I need to get access to the data at a safe place. So a nice feature would be 802.1x authentication for example (wpa_supplicant is already part of freeNAS, so I can do it on my own, but it's not trivial). Another possibility would be to detect if the network cable is plugged and auto-shutdown in that case (does anybody know a simple way to do this with 8.0?).

I somehow lost my point here... but it's just that my FreeNAS box is down in the basement, if it gets stolen one day, I probably won't even realize it's gone and I would feel really bad because accessing all my data would be extremely easy for the guy who took it...

Best regards,
John Doe.

 

[matthewowen01]

not many thief's use zfs or bsd...

if you're looking for a free, out of the box hardened system, good luck.

 

[jgreco]

If you're really afraid of theft, go down to Home Depot and solve your problem. A cable, lock, and a hasp. Or some two-by-four and drywall to make a hidden spot for your NAS. Or both.

As for shutting down if the network interface is disconnected, you could do that out of cron every minute with a shell script.

FreeNAS 8 is still early in the lifecycle, and features are still being added.

 

[HolyK]

...the simplest way to get his data is to plug a screen and a keyboard to the machine and use the shell. There has to be a simple way to secure the console menu with username and password and not just disable it

lock <key> in CLI

but yea, you right, after reboot, it will not ask for the username/pwd/key :/

 

[James]

Please add a feature request to password protect the console at support.freenas.org. Keep in mind that a more secure feature would be to protect single-user mode with a password, though one could end up locking oneself out of the box and it's generally assumed that most thieves don't know about single user mode ;-)

 

[pellegj]

Please add a feature request to password protect the console at support.freenas.org. Keep in mind that a more secure feature would be to protect single-user mode with a password, though one could end up locking oneself out of the box and it's generally assumed that most thieves don't know about single user mode ;-)

I assume you mean the console menu, since the console otherwise can be password protected through the settings in GUI (but loose the menu).

 

[jgreco]

Password-protecting single-user mode may not be that hard... removing the "secure" keyword from /etc/ttys should do it, but I haven't tested that on NanoBSD. The stickler there is that the change needs to be made to the actual filesystem that the system is using for booting, and you don't get a chance to modify it prior to use, so that works a bit differently than the rest of FreeNAS.

 

[matthewowen01]

if a determined thief has direct access to your hardware, your fight is lost.

 

[jenksdrummer]

if a determined thief has direct access to your hardware, your fight is lost.

Best to not let them know where you keep your hardware.

 

[Durkatlon]

This is all a bit silly isn't it? If I have access to your box I will just take out the USB stick that runs your FreeNAS. It's probably even conveniently plugged into the front or the back of the case, so I won't even have to open the case.

Then I'll plug in my own USB stick, reboot the box, "zpool import" your volumes and start an rsync job across your Internet connection to a server of my choice. Or if pressed for time I'll open the case and take your hard drives. With any luck they're accessible from the front and are in hot-swap drive trays.

 

[jgreco]

That's why I mentioned the Home Depot fixes.

 

[SoftDux-Rudi]

That's why I mentioned the Home Depot fixes.

That's just plain stupid. You can't lock down every single server in the world.

As requested, please add more security to FreeNAS:

Encryption - for when someone steals your drives
Console lock - to keep thieves from using the console for anything



Many people use NAS devices in datacenters and don't have too much control over the server's security since the DC provides their own security. In most cases the security is limited to the front door, and possibly the server room door. Once inside nothing (often) stops someone from taking a HDD out of a server, either in another cabinet or your own shared cabinet.

For this very reason it would be good to have data encryption included in FreeNAS

 

[jgreco]

No, it's not stupid. You're forgetting that there are two aspects to the problem: first, that the thief has your data, and second, that you no longer do.

Encrypting the data acts to possibly protect your data from a knowledgeable thief who actually cares to get at your data, but if you're being targeted for server theft to acquire your data, there are usually easier ways to do that, most of which involve electronic intrusion. If the FBI or NSA wants at your data, and for some unfathomable reason they can't break your encryption, they'll simply attach some electrodes to some sensitive parts of the biological keystore mechanism and extract the information that way. So the amount of protection encryption affords you is somewhat marginal. Regardless, encrypting your drives do not protect them from loss, and if it's important data, it's probably most inconvenient if you lose it, right?

So let's look at the more likely scenario. Remembering that this guy's a home user - he specifically said that this was a machine in his basement, storing all his private information, which he didn't have stored on any of the computers. Wouldn't *loss* of the data be an important thing to guard against? In a residential application, the likelihood that a random thief is going to break into his house to steal his FILES is highly unlikely. More likely is some dopehead looking for iPods and other easily pawnable electronic items to sell for some quick cash. The real answer to securing against the LIKELY threat is to solve the problem at Home Depot. It protects against the owner losing the data, and protects against someone acquiring access to the data through physical acquisition.

Now, that's not to say encryption's worthless, but realistically, there are things to worry about first and then there are things to worry about second. Physical security is by far more important. The average thief is looking for the easy score. Defend against it. You can make your server difficult enough to get at that he's going to move on. The guy who really wants access to your DATA is going to get it. He'll come and put a gun to your head if it's that important. You can't really defend against it.

So what you really want to do is guard against the inadvertent loss of your data when someone steals your server. You do that through physical security for the server.

When someone wants to steal your data? Yeah, encryption helps, somewhat, but the situation where someone wants to go for your data is much less common.

As for data centers? I've been in places that have clients who have big padlocked steel beams over the rack doors as part of their layer-upon-layer of security. Data centers aren't secure. I used to walk around DC1 with a long screwdriver that could pop the RTE button on all the cage doors if you did it right. The head of security at DC2, desperate to fix a problem with the access system, at one time had me coded with "all-access" rights after making me promise not to abuse them. If you want security, get doors, then get some hasps and padlocks. It still won't prevent someone from taking your server, but it makes it less likely someone will be able to steal it.

First rule of physical security, it's all a deterrent. If you have a wood door, it can be kicked down. Steel door, crowbar. A safe, explosives. Fort Knox? I think there was a James Bond about that one. ;-) That applies to electronic security too, but basically it helps to bear in mind that one should take care of the easy and obvious before heading off for the obscure and unlikely.

 

[SoftDux-Rudi]

No, it's not stupid. You're forgetting that there are two aspects to the problem: first, that the thief has your data, and second, that you no longer do.

Encrypting the data acts to possibly protect your data from a knowledgeable thief who actually cares to get at your data, but if you're being targeted for server theft to acquire your data, there are usually easier ways to do that, most of which involve electronic intrusion. If the FBI or NSA wants at your data, and for some unfathomable reason they can't break your encryption, they'll simply attach some electrodes to some sensitive parts of the biological keystore mechanism and extract the information that way. So the amount of protection encryption affords you is somewhat marginal. Regardless, encrypting your drives do not protect them from loss, and if it's important data, it's probably most inconvenient if you lose it, right?

So let's look at the more likely scenario. Remembering that this guy's a home user - he specifically said that this was a machine in his basement, storing all his private information, which he didn't have stored on any of the computers. Wouldn't *loss* of the data be an important thing to guard against? In a residential application, the likelihood that a random thief is going to break into his house to steal his FILES is highly unlikely. More likely is some dopehead looking for iPods and other easily pawnable electronic items to sell for some quick cash. The real answer to securing against the LIKELY threat is to solve the problem at Home Depot. It protects against the owner losing the data, and protects against someone acquiring access to the data through physical acquisition.

Now, that's not to say encryption's worthless, but realistically, there are things to worry about first and then there are things to worry about second. Physical security is by far more important. The average thief is looking for the easy score. Defend against it. You can make your server difficult enough to get at that he's going to move on. The guy who really wants access to your DATA is going to get it. He'll come and put a gun to your head if it's that important. You can't really defend against it.

So what you really want to do is guard against the inadvertent loss of your data when someone steals your server. You do that through physical security for the server.

When someone wants to steal your data? Yeah, encryption helps, somewhat, but the situation where someone wants to go for your data is much less common.

As for data centers? I've been in places that have clients who have big padlocked steel beams over the rack doors as part of their layer-upon-layer of security. Data centers aren't secure. I used to walk around DC1 with a long screwdriver that could pop the RTE button on all the cage doors if you did it right. The head of security at DC2, desperate to fix a problem with the access system, at one time had me coded with "all-access" rights after making me promise not to abuse them. If you want security, get doors, then get some hasps and padlocks. It still won't prevent someone from taking your server, but it makes it less likely someone will be able to steal it.

First rule of physical security, it's all a deterrent. If you have a wood door, it can be kicked down. Steel door, crowbar. A safe, explosives. Fort Knox? I think there was a James Bond about that one. ;-) That applies to electronic security too, but basically it helps to bear in mind that one should take care of the easy and obvious before heading off for the obscure and unlikely.

Yes, your absolutely correct, sorry for my ignorance. Security on a server isn't necessary at all since all the FBI themselves will be the thieves who steal your stuff.

 

[jgreco]

If you're worried about the FBI, the encryption isn't likely to save you. http://xkcd.com/538/

If you're doing something illegal and you don't want the FBI to get access to your data, then you probably aren't going to want to be storing the fileserver in your basement, but instead maybe want to find some server rentals in non-US-friendly nations and then figure out how to securely bootstrap encryption and file transfers onto it. Which might even be an interesting discussion of hypotheticals.

This is a guy with his valuable personal data in his house. He was concerned about a thief taking his server and then having access to his data. My point is that it's probably the *loss* of the data, from the user's perspective, that's the real problem, and that the server's going to end up at some pawn shop somewhere, so the possibility of the thief having access to the data, okay, fine, that's possibly a problem, but reality is 90%+ that the data's going to get wiped by the guy who buys it for a hundred bucks as his new home PC. The "accessing my data" problem can be solved (for non-xkcd-values of "solved") with encryption, no doubt, but you get lots more general security value from the Home Depot solutions.

The full disk encryption is probably coming, they were originally talking about it for 8.1R, but my sense is that it's further out. Regardless, the amount of protection it offers against an attacker is questionable. An attacker who is actively seeking data off a NAS device is more likely to attack the network; for example, from outside the house, trying to break any wireless network is the ideal starting point. Identify client devices attached, maybe see if you can crash them and acquire their IP address and credentials. Encryption useless, because the NAS allows access and serves the files. No wireless? Send the user a virus. Similar result. Break into the house? That's so 1990's. But if an attacker does break in, is your network hardened against someone tapping it to attach a laptop? Or just using your already-logged-in computer? There's lots of vulnerabilities in your average network. All you have to do is get the fileserver to serve files. In fact, a reasonably sophisticated attacker is going to know that rebooting a machine may destroy the easier paths in. A sophisticated attacker who wants access to your files isn't going to reboot your machine before accessing your data, and therefore the value of encryption against a sophisticated attacker is less than many people think.

Now, encryption will protect against inadvertent disclosure of your data. Example: Some unsophisticated crackhead comes and steals your box to score a hundred bucks at the pawn shop. Joe Sixpack buys your box and knows enough "Linux" to boot it and find your files. He gets your personal files. Okay, that's bad. Encryption would fix that. But so would a hasp and padlock.

So the real question is, what is the original poster ACTUALLY trying to guard against?

 

[Mysidia]

I would like to see FreeNAS match the level of security of most other appliances and general purpose OSes out there.
I don't expect FreeNAS to be impervious to a technically adept thief, but it should provide security against casual intrusion.

You might not care too much about this, but the lack of password prompting and authentication controls on the console, means PCI compliance cannot be achieved with any primary account data being stored on FreeNAS.

An example of a casual intrusion, is an insider not authorized to administer the NAS but who has KVM access makes an unauthorized change to the NAS configuration to attempt to steal data off it.

The insider cannot steal the hardware or hard drives, because the other staff would notice; BIOS settings and a chassis lock prevent opening the case or booting the unit to an alternate OS.

An OS with reasonable security controls should allow us to require a username and password
before gaining console access or making casual configuration changes.

Operating systems such as BSD provide this.
I think it is unreasonable that FreeNAS is less secure than general purpose operating systems.

 

[samfarkus]

encryption

imho it's the way to go, stolen drive = data is useless.

OK common thief scenario. He doesnt even care about the data.

OK business partner/wife type scenario. Will try to decrypt, and fail.

OK FBI scenario. #1 many of the open source encryption techniques ARE uncrackable. They will use fairly sophisticated tecniques, but fail vs any serious encryption. Mostly dictionary attacks and what not.

OK CIA scenario. Yes, they have the tech to decrypt it most likely, but they will only use it if you are a terrorist. Why? If you're some run-of-the-mill crook, their decryption techniques would end up in a legal document somewhere, cuz that's how our legal system works. With military/terrorism, they can keep their secret. This has even protected some low-on-the-totem pole espionage cases from being prosecuted. Cuz they didnt want to let the other side know they could crack the encryption


That being said, encryption option on freebsd seems to be GELI. I have had nothing but trouble with GELI and freenas working together, filesystems disappearing, corrupted, etc. It's unfortunate.

The other thing I would like to mention is that in the ever-expanding police state, seizing your drives/laptops is becoming a routine thing. An angry ex dimes you out to the fed - gambling, financial fraud, tax evasion, counterfeiting, copyright infringment, seized, seized, seized. It's routine now. Maybe you are a crook, maybe you woulda done 2 years for your bootleg operation, or your little 'grow garden', well guess what after they find all the crap on your computer, they tack on another few years, hell maybe 10. That's called leverage.

Even if it's not that bad now, every year it gets worse and worse. Be prepared.

 

[jgreco]

imho it's the way to go, stolen drive = data is useless.

OK common thief scenario. He doesnt even care about the data.

So you'd be better off discouraging him from stealing your disk, because once you lose your data, you're out both the disk and the data.

Winning solution: Home Depot (keep your disk AND your data). Losing solution: encryption (lose your disk AND your data).

OK business partner/wife type scenario. Will try to decrypt, and fail.

Possibly. Or will just wait for access to your computer at some moment when you're not looking, and copy the files at that moment in time. A NAS doesn't really protect that well against that sort of thing. And if it's a legal matter, one word, "discovery."

OK FBI scenario. #1 many of the open source encryption techniques ARE uncrackable. They will use fairly sophisticated tecniques, but fail vs any serious encryption. Mostly dictionary attacks and what not.

OK CIA scenario. Yes, they have the tech to decrypt it most likely, but they will only use it if you are a terrorist. Why? If you're some run-of-the-mill crook, their decryption techniques would end up in a legal document somewhere, cuz that's how our legal system works. With military/terrorism, they can keep their secret. This has even protected some low-on-the-totem pole espionage cases from being prosecuted. Cuz they didnt want to let the other side know they could crack the encryption

No winner here. There's very little evidence that you won't be compelled to produce your password; while we would all like to THINK that such production is protected under the Fifth Amendment, this hasn't actually been the case to date. It's safe to assume that your encrypted data will wind up in the hands of the FBI or CIA if either of them is motivated to get ahold of it. Neither encryption or Home Depot are likely to save you.

This is really the problem. Three of the four scenarios you've listed aren't particularly compelling because there's a large legal question that you don't have the bankroll to resolve in your favor. The other scenario (theft) is a big loss for encryption. Yes, the thief winds up with no usable data, but then again, you wind up with no usable data either. Most professionals would consider that a fail.

Encryption could actually be a winner in some scenarios. These aren't them.

 

[jgreco]

You might not care too much about this, but the lack of password prompting and authentication controls on the console, means PCI compliance cannot be achieved with any primary account data being stored on FreeNAS.

Um, obvious question, but if you want password prompting and authentication on the console, why don't you just TURN IT THE HECK ON?

Just because something isn't enabled by default is a poor reason to whine about it. PCI compliance usually involves a little work. Go in, turn off "secure" on /dev/console, and change the gettytab entry from "freenas" to "Pc" for ttyv0. Make sure to save it in /conf, not just /etc/ttys. Bam. Done. How hard was that.

 

[samfarkus]

So you'd be better off discouraging him from stealing your disk, because once you lose your data, you're out both the disk and the data.

Winning solution: Home Depot (keep your disk AND your data). Losing solution: encryption (lose your disk AND your data).



Possibly. Or will just wait for access to your computer at some moment when you're not looking, and copy the files at that moment in time. A NAS doesn't really protect that well against that sort of thing. And if it's a legal matter, one word, "discovery."



No winner here. There's very little evidence that you won't be compelled to produce your password; while we would all like to THINK that such production is protected under the Fifth Amendment, this hasn't actually been the case to date. It's safe to assume that your encrypted data will wind up in the hands of the FBI or CIA if either of them is motivated to get ahold of it. Neither encryption or Home Depot are likely to save you.

This is really the problem. Three of the four scenarios you've listed aren't particularly compelling because there's a large legal question that you don't have the bankroll to resolve in your favor. The other scenario (theft) is a big loss for encryption. Yes, the thief winds up with no usable data, but then again, you wind up with no usable data either. Most professionals would consider that a fail.

Encryption could actually be a winner in some scenarios. These aren't them.

Well I agree, and if you're gonna pursue a life of serious crime, yer gonna get got by a heavy hitter agency like the FBI or CIA. And if you aren't it's not because of your mad encryption skills :) But that being said, the hard drive is a common target nowadays in ALL legal matters, even minor or civil matters. Even if you're just a witness, old emails on your hard drives showing an off-color joke could be used against you Mark Furhman style. Alot of cases get settled out of court by good lawyers who dig up good dirt, and it has nothing to do with real justice. Not just the crooks you see on TV in some fantasy cop show, but day-to-day people going through divorces, having disputes with landlords, getting into stupid bar fights, etc. etc. etc.

Better safe than sorry.