[Gllug] Secure Internet Access Linux Box

John HEARNS John.Hearns at cern.ch
Fri Jun 21 15:22:38 UTC 2002 

On Fri, 21 Jun 2002, Jim Bailey wrote:

> On Fri, Jun 21, 2002 at 01:37:54PM +0200, John HEARNS wrote:
> > On Fri, 21 Jun 2002, Jim Bailey wrote:
> > 
> > > Hi,
> I am not really sure about this you should really be asking the grinder
> not his monkey but here is my idea of how it should work.
Why do you say that?
>From your replies below you are pretty on the ball!
> 
> A single box would have the Ram disk and a CD rom with the necessary
> system files on it upto 650mb or more if you compress the files.  Even
> if the user gained access to root he would only be able to operate for
> as long as the session lasted ACLs would also make sure that anything
> coming from that box to the internal servers would be considered suspect
> logged and the sys admin alerted.  For added security keep the CD rom
> behind a locked frontpiece.
Yes - and you could use Vince's recommendation of Snare -
this can log outgoing network requests.B


> > 
> I am not really sure what you mean about using a Vmware session but at
> the moment I am using a dozens of diskless linux boxen each is a dual
> Athlon 1900, 3.5GB of RAM, a PXE enabled ethernet card and not much
> else.  Linux is loaded by TFTP from a boot server. 
Nice. Good way to do things.
Our normal machine is a dual PIII, with 512Mbytes.
That is a good 'fit' for our normal job mix.
Probably be going for more RAM in machines being purchased in future.
All machines have disks - I'm told that it is cheaper to buy machines
with them than without! 


> I remember last year during the LDAP round robin in the Foundry one of
> the guys talking about using this setup with LDAP, PXE and other bits
> and bobs to setup machines that would boot up any OS on demand between
> different users.
Cool. Can you remember a reference to that?


>  There is also the Linux BIOS project which may be able
> to offer certain advantages in all this not least the fact that it is
> open source and therefore customisable.
I'm on the linuxbios list, but I don't think it has anything to offer
us right at the moment. Though I would like to try it.
I gather Los Alamos run their big clusters diskless too -
so you're doing the same things as the big boys!



-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list