| 1 |
Harald Schioeberg wrote: |
| 2 |
> |
| 3 |
>> |
| 4 |
>> There would also have to be an ACL (Access Control List) such |
| 5 |
>> that I could regulate who gets access to these boards. |
| 6 |
>> I could use some suggestions on iptables rules for this |
| 7 |
>> (embedded) DMZ. I have spoken to several folks in the past that |
| 8 |
>> have tried this, and maintaining security is always a challenge. |
| 9 |
>> So a limited ACL in the beginning until the security mechanisms |
| 10 |
>> mature, is a prudent step. |
| 11 |
> |
| 12 |
> |
| 13 |
> Hi, |
| 14 |
> |
| 15 |
> here comes my experience with a similar configuration (not developers |
| 16 |
> but students with root-privileges, even worse :)) |
| 17 |
> |
| 18 |
> a stepping-stone host with ssh-logins for outside devs. this is the only |
| 19 |
> system, that accepts connections from outside, the firewall blocks any |
| 20 |
> attempt to connect to any embedded system directly. we even have our |
| 21 |
> devices in a network with private ip-addresses, with no routing at all |
| 22 |
> to or from the internet, the steppingstone has 2 nics, one with a public |
| 23 |
> IP for ssh-login, and one with the private ip. it does NOT do any |
| 24 |
> routing or NAT. the private IP-config will probably not work for you, |
| 25 |
> because: |
| 26 |
> |
| 27 |
> the dev systems probably need outgoing http/ftp/rsync if not more. block |
| 28 |
> smtp at all costs. if you need mail for debugging the embedded systems, |
| 29 |
> configure your stepping-stone so that it accepts mails for your |
| 30 |
> dns-zone, and delivers it locally, but do not forward any mail from the |
| 31 |
> dev-dmz. if you only want to support one system (say gentoo) you might |
| 32 |
> get along with a local gentoo-mirror, but development is really |
| 33 |
> cumbersome if people don't have http/ftp access do download some patches |
| 34 |
> or whatever. people will start to build ssh-portforwards if you are too |
| 35 |
> restrictive and that kills any firewall. |
| 36 |
> |
| 37 |
> you need ip-switchable powersupply for all dev-systems, these things |
| 38 |
> will crash and the users need a way to reboot them remotly. |
| 39 |
> (afair ~300 Euro per 8 devices) |
| 40 |
> see that you get some with snmp support, then you can write a small tool |
| 41 |
> that checks against the acl before it reboots the device. |
| 42 |
> |
| 43 |
> you need a serial connection to each dev-system. we use terminal-servers |
| 44 |
> for that purpose. make sure you can break a serial login, users will |
| 45 |
> forget to log out and block the serial port forever. again, see for snmp |
| 46 |
> support for that purpose. |
| 47 |
> (terminal-servers are really expensive, about 150 Euro per port, but you |
| 48 |
> can use a pc with lots of ports, and use a serial-to-network daemon) |
| 49 |
> |
| 50 |
> if multiple devs should be able to share a device, you need some kind of |
| 51 |
> a reservation system. We started with a wiki, where everyone entered the |
| 52 |
> devices that he wants to book in a table. that worked amazingly well. |
| 53 |
> now we have switched to a sql-db, with allows us to restrict the logins |
| 54 |
> on the devices to that devices, that the user has actually reserved. the |
| 55 |
> most important thing is that never 2 independant users access the device |
| 56 |
> at the same time if they want to do things like system configuration |
| 57 |
> things... |
| 58 |
> |
| 59 |
> we provide our users with a tftp-server, that has a writeable directory |
| 60 |
> for each stepping-stone-user. it is planned to allow the users to |
| 61 |
> specify a config-snippet for the dhcpd (again, only for such system that |
| 62 |
> the user has reserved in the db), when this is done there will be |
| 63 |
> everything a user needs to boot any arbitary system on the device (if |
| 64 |
> the device is netboot-enabled) |
| 65 |
> |
| 66 |
> hope that gives you some ideas, |
| 67 |
> harald |
| 68 |
|
| 69 |
Hello Harald, |
| 70 |
|
| 71 |
This is a wonderful architecture, although I suspect it will take |
| 72 |
me some time to get things together. I should like to start off |
| 73 |
with a custom firewall. |
| 74 |
|
| 75 |
Currently we only have a single static IP, so I'll have to stick |
| 76 |
to the four nic (2 DMZs) for now until we add some more |
| 77 |
static/routable IPs. Give me a little time to get |
| 78 |
organized. |
| 79 |
|
| 80 |
sincerely, |
| 81 |
|
| 82 |
James |
| 83 |
|
| 84 |
-- |
| 85 |
gentoo-embedded@g.o mailing list |
Archives