Zoilo schrieb: > Florian Thiel wrote: > >Hi! > > > >Can anyone issue any suggestions or report experiences encrypting the > >network traffic in an LTSP environment? Since keypresses and everything > >(e.g. every password you enter on a LTSP workstation, be it ssh or not) > >travel the LAN in plaintext (X events), encryption is crucial for > >large-scale adoptions. > > > >(To demonstrate the effects, I once created too small perl scripts, one > >that sniffed X magic cookies and one that iterated over the list of > >known cookies and used them to switch display background colors. After a > >few minutes I had a whole room of machines happily blinking... Very > >impressive). > > > >IPSec would come into mind but is very expensive (CPU cycles) and would > >need a powerful centralized IPSec Gateway... > > It is not expensive at all. > > I am running Freeswan on an old Dell Optiplex Pentium 166 MHz PC, that > acts as firewall/router (iptables) and VPN-gateway. > > Currently, I have only 4 tunnels set up, but from reading the freeswan > mailing lists I am convinced that I could configure many more before I > would run into performance problems.
Are these tunnels heavily loaded? FreeS/Wan scales OK up to a few hundred tunnels but scalability isn't the only point there. The terminals are supposed to do actual work instead of encrypting network traffic. And 3DES (or blowfish, if you want something lighter) has a specific cost (in cycles) which can't be beat by FreesWAN nor any other implementation... > The question is to get IPSEC into the LTSP-kernel; it don't think that > would be very difficult, really. That is a practical problem, I was only thinking theoretically here :-) > But what about the kernel-loading itself? tftp is anything but secure of > course, so maybe you should also implement IPSEC into a boot kernel, and > boot from a floppy or a flash to load the running kernel? Oh, yes, you're pointing to another problem there: How can an X-Terminal be sure that the server is not an active attacker? (I think that would go a bit far, because you would need one half of a key on the X-Terminals and that would be counterproductive in dumb-terminals :-) Florian -- Florian Thiel - Medienzentrum Kassel Systembetreuung Internet- und Kommunikationstechnik Kasseler Schulen am Netz - http://www.medienzentrum-kassel.de ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
