On 5/17/06, Mike Owen <kyphros@gmail.com> wrote:
... I doubt the NSA cares about this list anymore (assuming they ever did).
hmm, i recall amusing conversations about honey tokens and baiting TLA's. *grin*
Back to the topic at hand, I'm sure they do policy updates via whatever channel they are recieving data. It's very common to just have a single out of band reporting/management link.
true, this is probably how it is done. would IPsec or some NSA built auth & privacy at layer 2 be more likely?
And I'd be surpised if these servers had any type of internal/external storage, such as the suggested Storedge. They most likely boot off the network, so if the servers are grabbed, there is only the contents of ram to worry about, and I'm sure there are rather explosive safeguards against that.
consider this vicious rumor but a little birdie informed me that physical security at these locations is well covered. strategically placed cages, reinforced and locked, armed guards. all this on top of the usually very tight security at these facilities. (though it sounded like the guards were a recent introduction. someone getting nervous about legitimate employees poking around?) so in this case i think there is probably useful data on the disks (the filters and controlling software for the narus / other equipment), caching might be implemented (the T3's on fibre channel have some nice throughput, although this configuration is years old at this point), and i very much doubt any destructive countermeasures.
A side benefit of having the filesystem living on an nfs server somewhere is that the above mentioned policy updates could be as simple as changing a single file on the storage server, and having all the sniffing servers immediately updated.
network file systems introduce reliability concerns. intermittent link outages would mean a bit of caching in the local case, but might cause monitoring / capture failure in a network file system scenario. maybe we'll find out in the near future. :)