> > The LTSP network is a highly centralized system. All works done by its > > users must be saved to its Server provided if no local floppy drive > > installed. Therefore all confidential data can be retained out of the > > reach by public.
heh ... I guess this keeps the thread within list type topics -- but a careful restatement and reinvention of hardening and strong security is not and can never be more than _part_ of LTSP -- for network based security is risk management, not hardware and computational provision of absolute certainty. > > But if users are allowed to browse Internet and send email that may create > > a hole. Confidential data can be dumped to streets as attachment to email > > or webmail or even copied to their body. Is there any technical remedy > > without scarifying users from browsing or emailing? To monitor users' > > emails keeping a track record which can only be erased by the administrator? Security policy drives provisioning -- if strong audit and security are needed, the distributed plaintext services nature of a costomary LTSP network and NFS may well not be appropiate. Leaking email and web trails are the least of your security worries. Proxy inbound; proxy outbound; use TIS FWTK; filter and audit to your heart's content. Squid-guard and milter can allow post-audit and blame-festing of FTP, web, and email items slipping out through intended routing channels. While these might make the network seem 'harden' at the perimeters, the interior LAN is 'soft and chewey' But, without strong (anal !) pre-positioning of EVERY MAC address, pass-phrased token-nonce authentication (line SecureID), and physical access controls preventing an end user from bringing common items as simple as a Zaurus, a Nokia 9100 cell phone, and a couple of USB adapters (or even a specially configured PlayStation 2), there is no 'absolute' security. Probably not even with those measures ... A talented insider end user (or the night janitorial service contractee's 'temp worker', or a person dressed in a set of coveralls, carrying a ladder, and up 'working on the AC' in the plenum) can 'hub' into the lan, and leave behind enough computing capacity, to use freely available packet level analysis tools. That hardware and these tools can be used to hijack your switch; simulate your DHCP, DNS, NFS, radius, tftp, mail, and web proxy servers; sniff and log every packet, and transparently relay interesting items offsite, without a middle skill admin even being aware of anything being amiss. The tools to do this are just tools -- no good or bad, right or wrong. In the hand of an authorized analyst, they illuminate and permit resolution of networking issues quickly and accurately; the potentially hostile folks outlined a couple paragraphs ago can perform the items in the prior paragraph simply by reading a 'cookbook' -- Phrack, 2600, and several other less public treatises -- Russ Herrold ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.openprojects.net
