Questions About Securedrop System

[yozel]

I have two small but important questions for you about the Security issue. If you can answer them briefly, i will be very glad.

1- is it a must that the App Server and the Monitor Server to be in the exact same local network? will there be a security leak if these two Servers are in different local networks?

2- If the Monitor Server sends the emails to journalis/reporter; it should carry the both ip addresses on and of Monitor Server and the configuration files. consequently, doesn't it make available to easily find the location and the owners of the App server? can it be a relative and reliable solution for making the owners and location of the servers hidden from the State or other kind of agents if we close the email sending function (but i know that it is not possible to shut it down on these version right now) ?

Thank you

[dolanjs]

1- The app and monitor server should be local with a network firewall also performing egress/ingress filtering to provide another level of defense in depth for network segmentation.

2- currently the environment is designed for journalist organizations where we are not trying to hide the fact that the organization is operating an instance of securedrop. We further recommend that they host the environment in their newsroom in the US or their lawyers office to protect against 3rd party gag orders and to take advantage of the legal protections for journalists in the US. So the physical location and the operators are not really hidden/protected information.

For production instances the smtp alerts don't have to be sent across the 'public' internet. An organization can configure an encrypted outbound tunnel from the monitor server to the organization internal smtp relay without traversing the public internet. It would be better if we gpg encrypted the contents of the email with the admin/journalist's personnel gpg key. So that the contents of the alerts were not stored in clear text on the organization smtp server.

[pemulis]

Can you go into more detail about why the app and monitor servers should be on the same local network? I thought one of the goals for the monitor server would be to send alerts when the app server isn't responding, which would suggest hosting the monitor server at a different physical location, but I might be misunderstanding the purpose of it.

[garrettr]

@pemulis In some ways it would make sense to host the monitor server elsewhere, but I think the security risks there outweigh any benefits. Where would it be hosted, and what are those physical security properties? A compromised monitor could enable subsequent undetected attacks on the application server.

The main goal (@dolanjs feel free to jump in here) of the monitor server, security-wise, is to verify the integrity of important binaries/files to make sure they aren't modified in an unauthorized manner.

[dolanjs]

The monitor server also performs log correlation and alerting.

On Sat, Dec 14, 2013 at 9:15 PM, Garrett Robinson notifications@github.comwrote:

@pemulis https://github.com/pemulis In some ways it would make sense to host the monitor server elsewhere, but I think the security risks there outweigh any benefits. Where would it be hosted, and what are those physical security properties? A compromised monitor could enable subsequent undetected attacks on the application server.

The main goal (@dolanjs https://github.com/dolanjs feel free to jump in here) of the monitor server, security-wise, is to verify the integrity of important binaries/files to make sure they aren't modified in an unauthorized manner.

— Reply to this email directly or view it on GitHubhttps://github.com/freedomofpress/securedrop/issues/218#issuecomment-30598467 .

[pemulis]

Thanks for the quick feedback. We were looking at hosting the monitor server within the newspaper's offices, and the application server at a secure off-site location. (Locks, cameras, and very few people with physical access.) Our reasoning was threefold:

• The monitor server would continue to function in the event that the application server was brought down by an accident or some sort of attack, and would give some indication of what is going on.
• Hosting the application server off-site might make the newspaper's local computer network a less tempting target to attackers.
• We're planning to use the same application server for journalists spread out over several organizations, so it isn't clear exactly which organization should physically host the server.

It seems like it might make sense to house both the application and monitor servers at the off-site location, though that would make them vulnerable to the same attacks (or natural disasters, or fires, etc.). Housing both within the newspaper's offices might provide some additional legal protection, but I think it would seriously degrade the physical security of the servers in this particular case and might paint a target on the rest of the network.

[Taipo]

@pemulis This is my personal opinion on your issue as this is something I have been thinking about a bit lately.

The primary thing you are seem to be wanting to achieve is reducing the chance of attack on your current office connection. You do not gain any extra protection against DoS attacks by splitting the locations up. The network and server either stand up to the DoS or they don't.

Having the servers either in split locations or together will give you the same indication, your server either stays online or it gets overwhelmed by the attack.

Point 1: The monitor server would be trying to connect with either a connection, router or server or all of these, that has been overwhelmed by a DoS attack. So you gain nothing from splitting the location in that arena.

Point 2: A non-state attacker would not know that the webserver is offsite, so expect the attack on the newspaper location network as a second level of attack if the attacker is unable to bring the server down by directly flooding it, regardless of whether your split the locations or not. A state level adversary would learn the location of the remote webserver quite quickly if the newspaper organisation was funding both locations.

Point 3: I am not sure how this point is pertinent to the split location concept.

Much of your three points could be achieved using a 100% dedicated connection for both servers located inhouse. You get the legal protection as well as the separation.

[dolanjs]

I agree with points that @Taipo made. And add:

Point 2: The monitor server has access via the OSSEC agent to the app server and can run remote commands. So it is just as much a target as the app server. So I don't think spliting the servers physical location would make your corporate network less of a target.

And @Taipo's last comment about having a separate circuit at your newsroom is our ideal recommendation to reduce the risk of gag order to third parties, and acheive the network segmentation between your corporate network and the SecureDrop environment. The circuit for the SecureDrop environment does not have to be a high speed link so it shouldn't be that much of an additional cost.

[Taipo]

If anyone is going to Blackhat this year, keep an eye out for this talk: https://www.blackhat.com/us-14/briefings.html#you-dont-have-to-be-the-nsa-to-break-tor-deanonymizing-users-on-a-budget

If what they are saying in the promo is not hype, then it could be a problem when it comes to protecting the location of the app server and of course, the IP address of the whistleblower.