Hi,
I'm deploying a prototype of a distributed system to benchmark some algorithms before committing to final hardware.
I have a large supply of 1GHz, 1GB diskless workstations that I'll use (headless) as they are freely available, small, reasonably (ha!) low power, etc. Almost everything is written in portable languages so the fact that this is x86 doesn't impact my codebase.
For the prototype system, I'll deploy 30 of these. Most will be 100BaseTX ethernet. Some will be 802.11g or n. A single server hosts images.
Since these are COTS boxes (and *diskless*), they are indistinguishable from each other besides MAC. And, MAC can be spoofed :-/
I was originally thinking of PXE booting each box. Then, letting that bootstrap bring up the *secure* network for the rest of IPL (key exchange, etc.).
But, I don't see any way that I can do this *without* controlling the loading of the initial (PXE) image! I.e., an attacker could intercept the PXE boot request and force arbitrary code to be executed. So, even if I added some local key storage, that code could freely examine the key, reset the processor and let the *next* PXE boot request go through "as normal".
It seems like I *must* make the PXE sequence secure if I want to have any hope of the rest of the process being secure (?). I.e., boot locally (add some sort of medium) and implement my own form of PXE boot. :<
However, the number of "tricks" that these folks come up with for working in spite of adversary leaves me never quite sure if someone hasn't already come up with a workaround for this sort of situation -- ?
Any ideas?
Thx,
--don