There would also have to be an ACL (Access Control List) such
that I could regulate who gets access to these boards.
I could use some suggestions on iptables rules for this
(embedded) DMZ. I have spoken to several folks in the past that
have tried this, and maintaining security is always a challenge.
So a limited ACL in the beginning until the security mechanisms
mature, is a prudent step.

Hi,

here comes my experience with a similar configuration (not developers but students with root-privileges, even worse :))

a stepping-stone host with ssh-logins for outside devs. this is the only system, that accepts connections from outside, the firewall blocks any attempt to connect to any embedded system directly. we even have our devices in a network with private ip-addresses, with no routing at all to or from the internet, the steppingstone has 2 nics, one with a public IP for ssh-login, and one with the private ip. it does NOT do any routing or NAT. the private IP-config will probably not work for you, because:

the dev systems probably need outgoing http/ftp/rsync if not more. block smtp at all costs. if you need mail for debugging the embedded systems, configure your stepping-stone so that it accepts mails for your dns-zone, and delivers it locally, but do not forward any mail from the dev-dmz. if you only want to support one system (say gentoo) you might get along with a local gentoo-mirror, but development is really cumbersome if people don't have http/ftp access do download some patches or whatever. people will start to build ssh-portforwards if you are too restrictive and that kills any firewall.

you need ip-switchable powersupply for all dev-systems, these things will crash and the users need a way to reboot them remotly.
(afair ~300 Euro per 8 devices)
see that you get some with snmp support, then you can write a small tool that checks against the acl before it reboots the device.

you need a serial connection to each dev-system. we use terminal-servers for that purpose. make sure you can break a serial login, users will forget to log out and block the serial port forever. again, see for snmp support for that purpose. (terminal-servers are really expensive, about 150 Euro per port, but you can use a pc with lots of ports, and use a serial-to-network daemon)

if multiple devs should be able to share a device, you need some kind of a reservation system. We started with a wiki, where everyone entered the devices that he wants to book in a table. that worked amazingly well. now we have switched to a sql-db, with allows us to restrict the logins on the devices to that devices, that the user has actually reserved. the most important thing is that never 2 independant users access the device at the same time if they want to do things like system configuration things...

we provide our users with a tftp-server, that has a writeable directory for each stepping-stone-user. it is planned to allow the users to specify a config-snippet for the dhcpd (again, only for such system that the user has reserved in the db), when this is done there will be everything a user needs to boot any arbitary system on the device (if the device is netboot-enabled)

hope that gives you some ideas,
        harald
--
[email protected] mailing list

Reply via email to