1 |
Peter Humphrey <prh@××××××××××.uk> posted |
2 |
200709141303.46235.prh@××××××××××.uk, excerpted below, on Fri, 14 Sep |
3 |
2007 13:03:46 +0100: |
4 |
|
5 |
>> That said, backing up your personal data to it seems like a not very |
6 |
>> good idea. Were you planning on encrypting it or something? |
7 |
|
8 |
This is what disturbed me about the idea as well. Ideally, you keep |
9 |
everything personal off the firewall, and at a slightly less priority, |
10 |
don't depend on it for anything you might run that could be rooted (thus |
11 |
killing the idea of system backups). |
12 |
|
13 |
> I see what you mean, but really the main use of the backup would be to |
14 |
> recover a working system to a damaged box (I can be just as clumsy in |
15 |
> admin as anyone else), rather than spending a week or more rebuilding it |
16 |
> from source. User data could perhaps be backed up elsewhere - I have a |
17 |
> handy little USB disk that would do nicely. |
18 |
|
19 |
Well, keeping user data elsewhere is a good first step, but consider what |
20 |
happens if you have to use that system backup and it has been rooted. |
21 |
Are you willing to risk the integrity of that data any more than your |
22 |
personal data? What will have been the value of storing the personal |
23 |
value elsewhere if you now restore it to a system rebuilt from possibly |
24 |
rooted data? |
25 |
|
26 |
>> Is there a wireless router thrown in there somewhere? |
27 |
> |
28 |
> The one wireless link is between the laptop and an access point; the WAP |
29 |
> is connected to an Ethernet switch which lives between the workstation |
30 |
> and the gateway. Why do you ask? |
31 |
|
32 |
Strictly speaking, anything transmitted over the air should be considered |
33 |
the same as transmitting it over the Internet in general -- IOW, keep the |
34 |
AP outside the firewall, or in a DMZ behind an initial firewall/router |
35 |
and an inside one protecting the wired network upon which you put |
36 |
anything you'd not want exposed to the Internet in general. *OR* encrypt |
37 |
anything transmitted over the wireless to the same level you'd feel |
38 |
comfortable with were it transmitted over the Internet. If you are sure |
39 |
you trust the WEP or whatever of the wireless to the same level you'd |
40 |
trust your encrypted banking session, well, you can send your banking |
41 |
info over it, otherwise... Because once it's on air the wise thing is to |
42 |
simply assume that someone's listening in, just as is the case with the |
43 |
Internet. If it's encrypted to your satisfaction, great, if not, assume |
44 |
it's now publicly exposed info, because it's possible it is. |
45 |
|
46 |
... |
47 |
|
48 |
For system rebuild scenarios, I use FEATURES=buildpkg here, and then |
49 |
periodically backup my packages dir (which is also on my main system's |
50 |
RAID-6, for a bit of redundancy at that level, tho that won't of course |
51 |
protect from fat-fingering or the kernel-rc I decide to try that has a |
52 |
bugged md/raid that scribbles gibberish all over my previously working |
53 |
RAID). That gives me binary packages of everything should I need to |
54 |
rebuild, so it shouldn't take a week, tho it'll take a few hours. Of |
55 |
course, a backup of /etc and other INSTALL_PROTECT dirs should be made as |
56 |
well, so you don't have to reconfigure everything. Private data backups |
57 |
are a bit different. |
58 |
|
59 |
For the reasons explained above, I'd not be comfortable putting backup |
60 |
data on a firewall machine -- at least not unless I had it checksummed or |
61 |
signed to detect tampering (which handily detects in-transit and in- |
62 |
storage corruption as well =8^), with those checksums stored elsewhere, |
63 |
say on a USB key or the like. |
64 |
|
65 |
What I'd suggest these days would be backing up the config and anything |
66 |
private from the laptop onto the desktop, then using an eSATA (external |
67 |
SATA, the connection's about the same but the connectors speced to be a |
68 |
bit more robust, but you could use standard SATA if you were careful) |
69 |
drive attached to it to backup its private data and config, plus the |
70 |
shared package data (you don't need to backup the laptop's data from it |
71 |
however, as one would hope you don't lose both the laptop and the desktop |
72 |
at once). Keep the external drive unplugged except for the once weekly |
73 |
or whatever that you do the backup. If you are really paranoid, do the |
74 |
two separate sets thing, alternating full backups so you have the |
75 |
previous week's backup if you lose both the machine and the external disk |
76 |
during a backup session. |
77 |
|
78 |
The beautiful thing about hard drive media backups is that you can pretty |
79 |
much simply copy all your data over just as it is, not worrying about |
80 |
fancy backup formats or whatever. To restore, you just copy it back, and |
81 |
if you have it setup right and you chose your hardware and kernel etc |
82 |
config with this in mind as well, you can even boot the backup itself and |
83 |
have a fully working system to work in while doing the restore. |
84 |
|
85 |
I recommend SATA/eSATA because the bus speeds are higher than USB 2.0 and |
86 |
Firewire 400 (Firewire 800 is getting there, of course the drive itself |
87 |
may not be any faster than USB 2.0 anyway, but it doesn't hurt), and they |
88 |
don't incur the protocol transfer overhead that the USB/FW stuff does -- |
89 |
depending on the hardware you choose for implementation, you may be able |
90 |
to use the same kernel hardware drivers you use for your standard |
91 |
internal storage, yet they have all the convenience of pluggable external |
92 |
drives! =8^) |
93 |
|
94 |
Here, I'm actually looking at the possibility of plugging in external |
95 |
eSATA based 5:1 port-multiplier-ed boxes for my next RAID upgrade, tho |
96 |
it's wish-list more than anything else at this point. The other |
97 |
alternative is to remain internal, but switch to 2.5" drives using |
98 |
available 4/5.25" drive bay multiplexers. I've four such bays available |
99 |
for hard drive use in my full-tower, which would allow for 16 such drives |
100 |
(I'd obviously use port multipliers there as well). If I reserve two as |
101 |
hot-swap and use RAID-6 with its two parity-stripes, that'll give me a |
102 |
12-way data striped RAID array, which should be reasonably fast even at |
103 |
the slower speeds of 2.5" drives. Still wish-list, tho, and I expect |
104 |
it'll be another couple years before it moves off wish-list status. |
105 |
|
106 |
-- |
107 |
Duncan - List replies preferred. No HTML msgs. |
108 |
"Every nonfree program has a lord, a master -- |
109 |
and if you use the program, he is your master." Richard Stallman |
110 |
|
111 |
-- |
112 |
gentoo-amd64@g.o mailing list |