Storage

Tech Tip: Buy and use a second hard drive for security reasons


Jonathan Yarden

In my experience, there's almost an even split between computer system problems caused by worms and viruses, and problems caused by applying software updates and security patches. If you keep regular system backups and always make a complete backup of your system before applying a software update, you're probably in the minority. Even some enterprise systems aren't fully archived to tape systems, simply because tape drives have less capacity than modern hard drives.

After my last hard drive exceeded the capacity of my tape system by about 20 GB, I neglected to back up my workstation for a while. Of course, as Murphy's Law predicts, I had problems at the worst possible time. I don't know exactly what happened, but Microsoft Image Composer refused to run after I installed a new application.

After this event, I realized that having an image backup of my hard drive would have allowed me to recover from either a system compromise or botched software install or update in minutes, rather than in days. For example, I could have recovered from that recent Windows XP security update in minutes if I'd had a backup IDE hard drive.

Back up one hard drive to another

Most Wintel systems can have up to four IDE devices installed, and most computers probably only use two or three IDE devices. To make image backups using a hard drive, all you need is another hard drive that's at least as large as the one you have and an image copy program. I use large IDE hard drives for image backups since they're quite affordable.

Norton Utility's Ghost, frequently included with boxed replacement IDE hard drives, is a popular program that effectively makes image copies of one hard drive to another. I've seen 20-GB IDE drives for as low as $50, which is probably less than the cost of replacing one when your computer crashes after you've been infested with the latest worm. If a hacker trashes your system, you can easily ghost your primary hard drive from the backup hard drive and reboot.

Remember: Image backups aren't for data redundancy; they're for emergency archival backup. A hacked system using RAID is still trashed and must be restored from an archival copy.

How to make image backups on UNIX

On UNIX, the two most common archival tools are tar and cpio, but I prefer to use the dd utility, which copies the raw sectors from one device to another. (You can also use dd to make image copies of hard drives used in Windows systems.) On my Linux system, I switch to single-user mode and use this command to completely copy my primary IDE hard drive to the secondary mirror copy:

dd if=/dev/hda of=/dev/hdb bs=1k count=`cat /proc/ide/hda/capacity`

Specifying the count argument as a shell command, as I've done in this example, is a simple way to specify the correct number of 1-KB blocks to copy. This is one of the features of the Linux proc filesystem and may not be available on your system. If it isn't, in order to make this command work properly, you'll need to know how many 1-KB blocks your hard drive holds.

To restore from the backup drive, you can use a rescue floppy, or you can change jumpers and reboot, which is the method I prefer.

When you're using Norton Ghost or the UNIX dd command to create image backups, keep a couple of things in mind. One, create an image backup before you install software updates, just in case the software update fails. Second, make sure your machine isn't already compromised. However, an archive copy of a compromised system can be useful to provide forensics, without keeping the compromised system from being returned to service.

The bottom line

Although tape drives haven't decreased in cost or increased in capacity as rapidly as IDE hard drives have, they're not dead yet. However, I don't prefer to use them when I need to quickly restore a damaged or compromised system. Online archival hard drives are also handy if the primary hard drive fails for other reasons--something that hard drives have a nasty habit of doing at the worst possible time.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

0 comments

Editor's Picks