Protecting encryption server

Robert J. Hansen rjh at sixdemonbag.org
Tue Jul 28 22:38:25 CEST 2020


>> Oh, quite the contrary.  It just forces the attacker to get clever.
> 
> If your server only sends data through an "outgoing data diode", then it
> does not expose any entry point (you just disable all services : no SSH,
> no ping, no HTTP... nothing). There is no way you can establish a
> connection to the server. How can you hack a server if you have
> absolutely no way to access it from the outside ? It seems just impossible.

The data diode is a one-way link, yes.  But there are so many ways to
gain access to machines that putting too much faith in a data diode to
protect your systems is deeply foolish.  A data diode can make *one
particular link* a one-way data link.  That's genuinely useful in the
context of a complete security solution that looks holistically at the
threat.

But no, they don't make a system unhackable.

Lateral movement through networks is a thing.  Look into it.  :)



More information about the Gnupg-users mailing list