[Gllug] Securing a standalone server on a casino floor.
James Courtier-Dutton
james.dutton at gmail.com
Fri Apr 1 18:07:02 UTC 2011
On 1 April 2011 17:16, Walter Stanish <walter.stanish at saffrondigital.com> wrote:
> You could consider something like the following approach.
>
> 1. Minimise the number of people who have information about the
> deployment and its purpose
> 2. Deploy the actual machine in a secret location
> 3. Tell all non-senior staff falsely that the server at the on-floor
> location performs all previously intended functions
> 4. Deploy an on-floor dummy machine, highly firewalled and with USB
> open only, lots of RAM and no disk drive
> 5. Incorporate a network-based challenge/response components in to the
> USB-based authentication (secret location approves)
> 6. Upon successful authentication, a complete OS image is pushed to
> the dummy system from the secret location across the network
> 7. All logging occurs across the network (to the secret location)
> 8. Have failures in network-based keepalives between the secret
> location and on-floor dummy trigger a serious physical security alarm
> event
>
> This way, if the dummy is compromised, you are still largely protected
> against software analysis, tampering, etc.
>
> Secondly, you have some additional protection against insider attacks,
> since physical theft of the machine and/or side-channel attacks like
> power analysis will be rendered useless for software components that
> execute in the secret location instead of on the dummy itself.
>
I would recommend a similar approach.
Have a PC in the public area that just runs a remote desktop app. VNC,
RDP whatever.
Attach it to a network cable. Over 1Gig LAN, the display interactive
response for the gaming app should be fine.
Then have all the java app, usb stick etc. remotely, in a locked up
room that the public cannot access.
Having a PC in a public place that needs securing is very difficult
and probably very expensive due to the cost of the physical security
of the case etc.
James
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list