On Sat, Nov 01, 2014 at 10:52:31AM +0000, Kagamin via Digitalmars-d wrote: > On Friday, 31 October 2014 at 21:06:49 UTC, H. S. Teoh via Digitalmars-d > wrote: > >This does not mean that process isolation is a "silver bullet" -- I > >never said any such thing. > > But made it sound that way: > > >The only failsafe solution is to have multiple redundant processes, > >so when one process becomes inconsistent, you fallback to another > >process, *decoupled* process that is known to be good. > > If you think a hacker rooted the server, how do you know other > perfectly isolated processes are good? Not to mention you suggested to > build a system from *communicating* processes, which doesn't sound > like perfect isolation at all.
You're confusing the issue. Process-level isolation is for detecting per-process faults. If you want to handle server-level faults, you need external monitoring per server, so that when it detects a possible exploit on one server, it shuts down the server and fails over to another server known to be OK. And I said decoupled, not isolated. Decoupled means they can still communicate with each other, but with a known protocol that insulates them from each other's faults. E.g. you don't send binary executable code over the communication lines and the receiving process blindly runs it, but you send data in a predefined format that is verified by the receiving party before acting on it. I'm pretty sure this is obvious. > >You don't shutdown the *entire* network unless all redundant > >components have failed. > > If you have a hacker in your network, the network is compromised and > is in an unknown state, why do you want the network to continue > operation? You contradict yourself. The only contradiction here is introduced by you. If one or two servers on your network have been compromised, does that mean the *entire* network is compromised? No it doesn't. It just means those one or two servers have been compromised. So you have monitoring tools setup to detect problems within the network and isolate the compromised servers. If you are no longer sure the entire network is in a good state, e.g. if your monitoring tools can't detect certain large-scale problems, then sure, go ahead and shutdown the entire network. It depends on what granularity you're operating at. A properly-designed reliable system needs to have multiple levels of monitoring and failover. You have process-level decoupling, server-level, network-level, etc.. You can't just rely on a single level of granularity and expect it to solve everything. T -- Leather is waterproof. Ever see a cow with an umbrella?