[Gllug] Secure Internet Access Linux Box

[Jim Bailey]

On Fri, Jun 21, 2002 at 05:22:38PM +0200, John HEARNS wrote:
> On Fri, 21 Jun 2002, Jim Bailey wrote:
> 
> > On Fri, Jun 21, 2002 at 01:37:54PM +0200, John HEARNS wrote:
> > > On Fri, 21 Jun 2002, Jim Bailey wrote:
> > > 
> > > > Hi,
> > I am not really sure about this you should really be asking the grinder
> > not his monkey but here is my idea of how it should work.
> Why do you say that?
> From your replies below you are pretty on the ball!
> > 
you are very kind but knowing the theory and having the time served
experience of a real sys admin are very different things.  I am well
aware of how much I need my hand held by the grown ups and when
necessary clouted around the ear. :)

> > A single box would have the Ram disk and a CD rom with the necessary
> > system files on it upto 650mb or more if you compress the files.  Even
> > if the user gained access to root he would only be able to operate for
> > as long as the session lasted ACLs would also make sure that anything
> > coming from that box to the internal servers would be considered suspect
> > logged and the sys admin alerted.  For added security keep the CD rom
> > behind a locked frontpiece.
> Yes - and you could use Vince's recommendation of Snare -
> this can log outgoing network requests.B
> 
> 
> > > 
> > I am not really sure what you mean about using a Vmware session but at
> > the moment I am using a dozens of diskless linux boxen each is a dual
> > Athlon 1900, 3.5GB of RAM, a PXE enabled ethernet card and not much
> > else.  Linux is loaded by TFTP from a boot server. 
> Nice. Good way to do things.
> Our normal machine is a dual PIII, with 512Mbytes.
> That is a good 'fit' for our normal job mix.
> Probably be going for more RAM in machines being purchased in future.
> All machines have disks - I'm told that it is cheaper to buy machines
> with them than without! 
>
You maybe right but I think economies of scale come into play,
alternatively were you told this by a hardware supplier? ;)
There is a big list of suppliers in the diskless node howto that maybe
able to prove that one way or the other.
> 
> > I remember last year during the LDAP round robin in the Foundry one of
> > the guys talking about using this setup with LDAP, PXE and other bits
> > and bobs to setup machines that would boot up any OS on demand between
> > different users.
> Cool. Can you remember a reference to that?
> 
http://fluff.panic.org was the guy's web site, Stewart Sutcliffe I think
was his name.

His links if I remember correctly were to the IBM redbook on LDAP, There
is a lot of stuff on PXE on the intel site since it is their technology,
Linux Journal did an article on doing network booting in both a
workstation and data centre environment a few months ago.  From what I
can remember it was a good article and maybe available on the web.  Some
one also mentioned the linux kiosk howto, there is also a diskless node
howto which maybe a bit dated by now.

> 
> >  There is also the Linux BIOS project which may be able
> > to offer certain advantages in all this not least the fact that it is
> > open source and therefore customisable.
> I'm on the linuxbios list, but I don't think it has anything to offer
> us right at the moment. Though I would like to try it.
> I gather Los Alamos run their big clusters diskless too -
> so you're doing the same things as the big boys!
>
It makes sense from what I have read of computational clusters the disks
are just not necessary.  Though we are not a proper computational
cluster.  It is a term used by the management to describe the song nodes a
better analogy would possibly be google or another search engine where a
snippet of information is run against a farm of servers for the correct
match.

Still the most seriously cool kit I have worked on in my short career.

Peace Jim

BTW Happy Soltice everyone, I am off to break bread with a bunch of tree
huggers I know.


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug