| 1 |
Peter Humphrey <prh@××××××××××.uk> posted |
| 2 |
200709141303.46235.prh@××××××××××.uk, excerpted below, on Fri, 14 Sep |
| 3 |
2007 13:03:46 +0100: |
| 4 |
|
| 5 |
>> That said, backing up your personal data to it seems like a not very |
| 6 |
>> good idea. Were you planning on encrypting it or something? |
| 7 |
|
| 8 |
This is what disturbed me about the idea as well. Ideally, you keep |
| 9 |
everything personal off the firewall, and at a slightly less priority, |
| 10 |
don't depend on it for anything you might run that could be rooted (thus |
| 11 |
killing the idea of system backups). |
| 12 |
|
| 13 |
> I see what you mean, but really the main use of the backup would be to |
| 14 |
> recover a working system to a damaged box (I can be just as clumsy in |
| 15 |
> admin as anyone else), rather than spending a week or more rebuilding it |
| 16 |
> from source. User data could perhaps be backed up elsewhere - I have a |
| 17 |
> handy little USB disk that would do nicely. |
| 18 |
|
| 19 |
Well, keeping user data elsewhere is a good first step, but consider what |
| 20 |
happens if you have to use that system backup and it has been rooted. |
| 21 |
Are you willing to risk the integrity of that data any more than your |
| 22 |
personal data? What will have been the value of storing the personal |
| 23 |
value elsewhere if you now restore it to a system rebuilt from possibly |
| 24 |
rooted data? |
| 25 |
|
| 26 |
>> Is there a wireless router thrown in there somewhere? |
| 27 |
> |
| 28 |
> The one wireless link is between the laptop and an access point; the WAP |
| 29 |
> is connected to an Ethernet switch which lives between the workstation |
| 30 |
> and the gateway. Why do you ask? |
| 31 |
|
| 32 |
Strictly speaking, anything transmitted over the air should be considered |
| 33 |
the same as transmitting it over the Internet in general -- IOW, keep the |
| 34 |
AP outside the firewall, or in a DMZ behind an initial firewall/router |
| 35 |
and an inside one protecting the wired network upon which you put |
| 36 |
anything you'd not want exposed to the Internet in general. *OR* encrypt |
| 37 |
anything transmitted over the wireless to the same level you'd feel |
| 38 |
comfortable with were it transmitted over the Internet. If you are sure |
| 39 |
you trust the WEP or whatever of the wireless to the same level you'd |
| 40 |
trust your encrypted banking session, well, you can send your banking |
| 41 |
info over it, otherwise... Because once it's on air the wise thing is to |
| 42 |
simply assume that someone's listening in, just as is the case with the |
| 43 |
Internet. If it's encrypted to your satisfaction, great, if not, assume |
| 44 |
it's now publicly exposed info, because it's possible it is. |
| 45 |
|
| 46 |
... |
| 47 |
|
| 48 |
For system rebuild scenarios, I use FEATURES=buildpkg here, and then |
| 49 |
periodically backup my packages dir (which is also on my main system's |
| 50 |
RAID-6, for a bit of redundancy at that level, tho that won't of course |
| 51 |
protect from fat-fingering or the kernel-rc I decide to try that has a |
| 52 |
bugged md/raid that scribbles gibberish all over my previously working |
| 53 |
RAID). That gives me binary packages of everything should I need to |
| 54 |
rebuild, so it shouldn't take a week, tho it'll take a few hours. Of |
| 55 |
course, a backup of /etc and other INSTALL_PROTECT dirs should be made as |
| 56 |
well, so you don't have to reconfigure everything. Private data backups |
| 57 |
are a bit different. |
| 58 |
|
| 59 |
For the reasons explained above, I'd not be comfortable putting backup |
| 60 |
data on a firewall machine -- at least not unless I had it checksummed or |
| 61 |
signed to detect tampering (which handily detects in-transit and in- |
| 62 |
storage corruption as well =8^), with those checksums stored elsewhere, |
| 63 |
say on a USB key or the like. |
| 64 |
|
| 65 |
What I'd suggest these days would be backing up the config and anything |
| 66 |
private from the laptop onto the desktop, then using an eSATA (external |
| 67 |
SATA, the connection's about the same but the connectors speced to be a |
| 68 |
bit more robust, but you could use standard SATA if you were careful) |
| 69 |
drive attached to it to backup its private data and config, plus the |
| 70 |
shared package data (you don't need to backup the laptop's data from it |
| 71 |
however, as one would hope you don't lose both the laptop and the desktop |
| 72 |
at once). Keep the external drive unplugged except for the once weekly |
| 73 |
or whatever that you do the backup. If you are really paranoid, do the |
| 74 |
two separate sets thing, alternating full backups so you have the |
| 75 |
previous week's backup if you lose both the machine and the external disk |
| 76 |
during a backup session. |
| 77 |
|
| 78 |
The beautiful thing about hard drive media backups is that you can pretty |
| 79 |
much simply copy all your data over just as it is, not worrying about |
| 80 |
fancy backup formats or whatever. To restore, you just copy it back, and |
| 81 |
if you have it setup right and you chose your hardware and kernel etc |
| 82 |
config with this in mind as well, you can even boot the backup itself and |
| 83 |
have a fully working system to work in while doing the restore. |
| 84 |
|
| 85 |
I recommend SATA/eSATA because the bus speeds are higher than USB 2.0 and |
| 86 |
Firewire 400 (Firewire 800 is getting there, of course the drive itself |
| 87 |
may not be any faster than USB 2.0 anyway, but it doesn't hurt), and they |
| 88 |
don't incur the protocol transfer overhead that the USB/FW stuff does -- |
| 89 |
depending on the hardware you choose for implementation, you may be able |
| 90 |
to use the same kernel hardware drivers you use for your standard |
| 91 |
internal storage, yet they have all the convenience of pluggable external |
| 92 |
drives! =8^) |
| 93 |
|
| 94 |
Here, I'm actually looking at the possibility of plugging in external |
| 95 |
eSATA based 5:1 port-multiplier-ed boxes for my next RAID upgrade, tho |
| 96 |
it's wish-list more than anything else at this point. The other |
| 97 |
alternative is to remain internal, but switch to 2.5" drives using |
| 98 |
available 4/5.25" drive bay multiplexers. I've four such bays available |
| 99 |
for hard drive use in my full-tower, which would allow for 16 such drives |
| 100 |
(I'd obviously use port multipliers there as well). If I reserve two as |
| 101 |
hot-swap and use RAID-6 with its two parity-stripes, that'll give me a |
| 102 |
12-way data striped RAID array, which should be reasonably fast even at |
| 103 |
the slower speeds of 2.5" drives. Still wish-list, tho, and I expect |
| 104 |
it'll be another couple years before it moves off wish-list status. |
| 105 |
|
| 106 |
-- |
| 107 |
Duncan - List replies preferred. No HTML msgs. |
| 108 |
"Every nonfree program has a lord, a master -- |
| 109 |
and if you use the program, he is your master." Richard Stallman |
| 110 |
|
| 111 |
-- |
| 112 |
gentoo-amd64@g.o mailing list |
Archives