[Gllug] Secure Internet Access Linux Box
Jim Bailey
jim at freesolutions.net
Fri Jun 21 14:50:36 UTC 2002
On Fri, Jun 21, 2002 at 01:37:54PM +0200, John HEARNS wrote:
> On Fri, 21 Jun 2002, Jim Bailey wrote:
>
> > Hi,
> >
> > may I suggest a diskless node booting off either the network or a CD rom
> > and 1-2GB ram disk. At the end of the session the user logs out and
> > automatically causes the system to reboot if this is not overkill,
> > giving the new user a clean machine.
> >
> Jim,
> that sounds a great idea.
> Do you have any idea if this could be achieved using just one
> box, by using automatic login to maybe Vmware?
> I know the automatic login part works, as I remember asking GLLUG
> about this a long time ago.
>
I am not really sure about this you should really be asking the grinder
not his monkey but here is my idea of how it should work.
A single box would have the Ram disk and a CD rom with the necessary
system files on it upto 650mb or more if you compress the files. Even
if the user gained access to root he would only be able to operate for
as long as the session lasted ACLs would also make sure that anything
coming from that box to the internal servers would be considered suspect
logged and the sys admin alerted. For added security keep the CD rom
behind a locked frontpiece.
>
>
> The box itself runs Linux, but the user session is Vmware.
> highly restrict the terminals that root can log in on -
> maybe use a serial terminal for root login.
>
I am not really sure what you mean about using a Vmware session but at
the moment I am using a dozens of diskless linux boxen each is a dual
Athlon 1900, 3.5GB of RAM, a PXE enabled ethernet card and not much
else. Linux is loaded by TFTP from a boot server. A slice server loads
music slices which we run music recognition tests against. If a node in
the cluster fails (note this isn't proper clustering technology it is
just called the recognition cluster). We simply reboot the node and
reinstall the relevant software and data. I would imagine that a
similar setup would work equally well in the above case.
>
I remember last year during the LDAP round robin in the Foundry one of
the guys talking about using this setup with LDAP, PXE and other bits
and bobs to setup machines that would boot up any OS on demand between
different users. There is also the Linux BIOS project which may be able
to offer certain advantages in all this not least the fact that it is
open source and therefore customisable.
I hope this answers some of your questions, If I have got it completely
wrong I apologise and would someone who really knows what he is doing
help John and put me right.
Peace Jim
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list