Ideas to provision dual-OS, with one OS not supported by ChemIT.
Need
Run Linux OS which John is familiar with. And do so directly on the hardware to optimize performance.
- Hence John's request for a Debian boot partition, which he can set up if we provision him with a Windows computer.
Unknown: Performance hit of running Debian as a guest of a Windows host machine.
General
Systems with OSes not supported by ChemIT run on Cornell's RedRover (wireless).
- In special circumstances, especially for Cornell-owned hardware, consider putting them on Cornell's "GreenNet" (ethernet)
- ChemIT's networks are reserved for systems managed by ChemIT
- Configuration, Active Directory log-in (enforcing p/w strength and consequences), patching oversight, anti-virus oversight.
Option table
Only list likely candidates, not all possible options.
Recommendations/ |
|
Boot 1 |
Boot 2 |
Host |
Guest |
Network: |
Notes |
---|---|---|---|---|---|---|---|
|
Option 1 |
Windows |
Debian |
N/A |
N/A |
GreenNet |
Easiest to set up. |
|
Option 2 |
Windows |
Debian, but only run as a boot OS when h/w performance needed. |
Windows |
Debian, from Boot 2 partition. Run Debian this way, unless need h/w performance. |
ChemIT: FreedNet, if Windows is indeed usually running. |
Doable? Cost-effective, time-wise? |
|
Option 3 |
Windows |
Debian |
N/A |
N/A |
ChemIT: FreedNet |
Easiest to set up. |
|
Option |
Windows |
Debian |
N/A |
N/A |
ChemIT: Public IP |
Easiest to set up. |
Specifics
OSes
John responsible for dual-boot capabilities. Can pull all networking info from Windows OS's configuration.
- If ChemIT needed to reconfigure system, ChemIT only responsible for laying down a new Windows OS, w/ permission to reformat entire hard drive if necessary.
Windows cannot get patched unless it is running.
- In a dual-boot configuration, long periods of time can elapse without patching of Windows if Debian being used by default.
- If Windows is to be used, commit to running Windows so it can be patched at least once per week.
Networks
GreenNet network
Mimics network as provisioned by a home-based ISP (non-static IP, very limited ACLs, etc.).
Instead of an ISP, the researcher's relationship is directly with CIT.
Requires a VPN (to re-log-in after 8 hours, if necessary) to access Eldor server.
No VPN required to print or access CIT SFS file shares.
ChemIT network
In general, these networks are reserved for systems managed by ChemIT.
- Configuration, Active Directory log-in (enforcing p/w strength and consequences), patching oversight, anti-virus oversight.
- A secure configuration for desktops includes not running server-like software (like SSH).
- ChemIT responsible for the security of these networks.
The Freed research network has strong protections, by both a router and ACLs.
- Does not permit in-bound SSH to desktop.
Systems in the ChemIT network are more vulnerable to each other than from outside-the-network systems.
- Thus, must exert efforts to prevent situations in which a single compromised system becomes a launching-point to all the other systems on that same network.