On Sun, 23 Jun 1996, Peter Beckman wrote:
> So what I've gathered, you are saying that I should have a 3rd dedicated
> AFS database server, that does only a small amount of file serving, or that
> it would be ok to use my Sparc 5 on my desk for it. I use it a lot, and
> it's running in openwin 99% of the time. It would be the 3rd AFS database
> server, beyond the 2 dedicated secured machines doing AFS database and file
> serving.
If you're using the desktop machine interactively with a graphical
window manager and the machine is a moderately-loaded Sparc 5, then your
dbserver performance is probably not going to be very spectacular. Is the
$7,000 for a Sparc5/64Mb out of the question? An Axil 245 would be even
cheaper. (This was the ballpark for the last quote I saw).
If cell security is at all a concern then I would not use a desktop
workstation as an AFS database server, period. Desktop workstations tend
to be configured with minimal to moderate security in mind. This
generally includes telnet, ftp, perhaps even internal r-command access (I
certainly hope you're blocking that stuff at the router).
For server class machines, especially those with sensitive information,
I would definitely not permit telnet, FTP, or god-forbid r-command stuff.
I'd use Kerberos, or ssh, or SecurID, a combination of these, or perhaps
even restrict access to console only. AFS is especially appropriate for
console-only acces, since there is very little you cannot do to the
dbservers from any AFS client. You don't even have to serve any volumes
off of the server (although it would probably be beneficial to add this
server as a replication site for your root.afs, root.cell, and similar
infrastructure volumes), as you can run the fs process suite without
requiring it to serve any volumes. Then you wouldn't even have to back
anything up on this machine, except for a one-off for disaster recovery
purposes. You would of course want to lock the media in a cabinet
somewhere, or change your encryption key afterwards.
My $0.02.
-brian
--
Brian W. Spolarich - ANS CO+RE Systems - [EMAIL PROTECTED] - (313)677-7311
If wishes were fishes we'd all cast nets.
