I'm glad you found my comments useful!
Harish Narayanan wrote:
>The IT staff are offering to do something of this sort. Their policy
>seems to be, if it is one of {a list of OSs} and it's
>patched/firewalled, it can directly access the internet. Otherwise, it
>has to be behind a NAT.
>
>I was opposed to this because people (including me) have their favourite
>machines in the lab and like to access them directly. I didn't I didn't
>think of what you said, allow one box they trust on the network, and set
>up my internal network inside it, allowing people to hop-hop into their
>machine directly (enough).
>
>
One other NAT option that I've been looking at lately is a box that
looks like a home-router that has a built-in VPN service. This may be
easier and more elegant than port-forwarding, if it matches your needs.
I've been looking at the Buffalo WZR-RS-G54, and one of the networking
guys I know recommended the Cisco 800. It should be easy to maintain,
and your networking guys may approve of a device like this?
Also, I vaugely to remember that Netgear makes a NAT/VPN box with an
8-port internal gigabit swtich, and no wireless. That might be ideal
for a lab, since wireless is often a security liability (in addition to
being very convenient and useful).
Anyway, I'm thinking about setting up one of these boxes at home,
because I'd like to be able to VPN to my home-network - that way, the
only ports I'd have to expose to the world are SMTP (I run a mailserver
at home), and the VPN port. Plus, if an encrypted VPN-over-wifi
connection is required to get to my private network (and to use my
Internet connection), it's a lot more secure than mac-address-filtering
and WEP (or whatever the new-and-supposedly-better WEP standard is). If
it works as-advertised, it'll be a great setup.
>I use shfs instead of nfs (so there are no issues there).
>
>
Excellent! I'd like to hear which version your using, and how reliable
it is.
I'd love to change a number of my Linux machines over to shfs - it has
far fewer security issues than NFS. But, the last time I tried it, it
zeroed out a couple of my files and it also couldn't do the file-locking
that Gnome requires for a graphical login. If it works, though SHFS
fixes many of the things that annoy me about Unix - especially if it
could be combined with a PAM module that does some automounting
functions. But, I'll have to put my money where my mouth is and start
contributing some code. On the other hand, if someone's done this since
the last time I ran SHFS, I'll be a happy geek.
>> 3. Virus Scanner: You can install clamav from DAG's repository. It
>> doesn't scan in realtime, but when they ask if you have a virus
>> scanner on every machine, you can say "yes!". If you put a clamav
>> command in the crontab ("@daily /usr/bin/freshclam ; nice -n 19
>> clamscan --recursive --no-mail --infected /"), the machine is
>> being automatically scanned.
>>
>>
>>
>This I hadn't even thought of, I must admit. Almost everything else
>you'd mentioned came up. I was in a naive frame of mind which went
>roughly like so---if someone does something stupid and gets infected, at
>worst they lose all their data, the box won't necessarily be rooted. And
>after some thought, I realised that people don't care about the box
>being up. I mean, they probably do, but they're probably more concerned
>about their data.
>
>
They're probably most concerned about machines spewing stuff on their
network. The box being rooted would be a classic way for this to
happen, but certainly not the only way.
Our central network folks don't care about our data, in a professional
sense. Of course, they'll comisserate over your lost data at the pub --
but, at my university, their role is to make sure that the network stays
working as well as possible for as many people as possible.
-Luke
--
Luke Scharf, Systems Administrator
Virginia Tech Aerospace and Ocean Engineering
|
