[Lincoln LUG] Advice needed on backing up laptops

J Fernyhough j.fernyhough at gmail.com
Fri Jun 30 14:58:43 UTC 2017 

Ah, a meaty reply. :)

On 30 June 2017 at 14:18, Terry Froy via Lincoln LUG via Lincoln
<lincoln at mailman.lug.org.uk> wrote:
> Nextcloud is PHP running on a webserver (in this case, nginx) which
> stores data in MariaDB (replicated via Galera cluster) and a
> CephFS-based filesystem... it definitely scales!

The application scales - I'm more concerned about the file storage.

> Nextcloud provides for another copy of the data, on a
> different machine

How do you deal with conflicts and canonical versions in this case?

> Nextcloud is about data access and permits mobile clients to
> transparently upload/download/sync their data back to base - wherever
> they are - and using protocols which are unlikely to be blocked in a
> third-world coffee shop.

Why are you using a company laptop on an insecure wifi network? :P

> You might as well make the argument that online banking and web-based
> e-mail are a bad idea too!

Not really. A bank providing online banking knows it has to be secure.
Web-based email isn't all that much different to POP/IMAP (and can
easily be made more secure via e.g. 2FA).

> Any security-conscious company should be operating their own X.509 CA
> with root CA keys held in a hardware security module and insisting that
> all forms of remote access uses it; the only inbound connections
> permitted into our corporate network are HTTPS, IMAPS, SMTPS and SSH -
> and SSH forces use of key-based authentication - with the other
> protocols using our own X.509 CA for trust/encryption and clients
> optionally using X.509 certs for authentication.

Yes!

> Your 'you have only one thing to monitor and keep secure' is a dangerous
> approach to take; this line of thinking has been responsible for the
> meltdown of NHSnet during the recent WannaCry ransomware outbreak as a
> hard outer shell does little to protect the egg once it has been
> compromised.

I didn't mean you ignore everything else - I meant more that you're
not spreading your watch/efforts over multiple disparate
externally-facing services (similar to having an SSH bastion host vs
all devices externally accessible). Network segmentation, e.g., is
still important.

> A 'single ingress' is also a bad idea if you are running a multi-homed
> Internet Service Provider network like we are ;-)
>
> We run multiple X.509 IPsec/L2TP endpoints at each of our PoPs and for
> some access (access to customer PII data), we insist on connectivity via
> one of those endpoints, but for other less-critical access, we are happy
> for that to come in via the Internet from a trusted X.509 client
> certificate or trusted SSH key.

I don't run an ISP but I'm glad you know what you're doing. :D

J

More information about the Lincoln mailing list