Secure by Design

Because of its distributed nature, PlanetLab was designed from the ground up to be secure. If you are concerned about the security of your nodes or the network, or wonder how your nodes are securely managed from a remote location, read on.

Secure boot

Every PlanetLab node boots from the BootCD rather than the hard disk. Because the CD is immutable, the boot environment is secure and immune to root kits. The first step in the boot process is to contact PlanetLab Central through a secure, authenticated channel for the appropriate task to run, based on the boot state of the node. If the node has been placed into its secure Safemode (or Diagnose) mode, it will not initialize further, and a secure console will be opened that can only be accessed from PlanetLab Central by PlanetLab Operations staff.

Minimal software

To minimize potential security vulnerabilities, PlanetLab nodes are installed with only the minimum amount of server software necessary to manage and run virtual servers. Only an SSH server runs in the base system; FTP, TELNET, and SMTP servers do not (and, in fact, are prohibited from running). All other services run inside isolated virtual servers, described below.

Isolated virtual servers

All management services and PlanetLab experiments run inside isolated virtual servers (also called slivers of a slice or VServers), that are restricted from performing most administrative operations. The resource consumption of every virtual server is actively managed. Even if a virtual server is compromised or goes out of control, the rest of the virtual machines and the base management software may still run.

Active management

PlanetLab Operations staff works full-time to ensure the security and integrity of the network by applying security patches as necessary, and by constantly auditing usage of the network. All staff members have worked in industry and are well-qualified to provide support and analyze security incidents.