Ideas to provision dual-OS, with one OS not supported by ChemIT.

Need

Run Linux OS which John is familiar with. And do so directly on the hardware to optimize performance.

  • Hence John's request for a Debian boot partition, which he can set up if we provision him with a Windows computer.

Unknown: Performance hit of running Debian as a guest of a Windows host machine.

General

Systems with OSes not supported by ChemIT run on Cornell's RedRover (wireless).

  • In special circumstances, especially for Cornell-owned hardware, consider putting them on Cornell's "GreenNet" (ethernet)
  • ChemIT's networks are reserved for systems managed by ChemIT
    • Configuration, Active Directory log-in (enforcing p/w strength and consequences), patching oversight, anti-virus oversight.

Option table

Only list likely candidates, not all possible options.

Recommendations/
Preferences

 

Boot 1

Boot 2

Host

Guest

Network:
ChemIT or
GreenNet

Notes

 

Option 1

Windows

Debian

N/A

N/A

GreenNet

Easiest to set up.
Can ChemIT manage a Windows system on GreenNet?
Safest for Research group's network (Freed's and CCB's).
John must run VPN to connect to Eldor.
Up to John to figure out a way to SSH to the system (since no static IP).

 

Option 2

Windows

Debian, but only run as a boot OS when h/w performance needed.

Windows

Debian, from Boot 2 partition. Run Debian this way, unless need h/w performance.

ChemIT: FreedNet, if Windows is indeed usually running.

Doable? Cost-effective, time-wise?
Any easier for maintenance?

 

Option 3

Windows

Debian

N/A

N/A

ChemIT: FreedNet

Easiest to set up.
Safest for John's computer.
Higher risk for Freed's Research group's systems.
No SSH to system

 

Option
4

Windows

Debian

N/A

N/A

ChemIT: Public IP

Easiest to set up.
Safest for John's computer.
Higher risk to CCB's Research group's systems.
Can SSH to system

Specifics

OSes

John responsible for dual-boot capabilities. Can pull all networking info from Windows OS's configuration.

  • If ChemIT needed to reconfigure system, ChemIT only responsible for laying down a new Windows OS, w/ permission to reformat entire hard drive if necessary.

Windows cannot get patched unless it is running.

  • In a dual-boot configuration, long periods of time can elapse without patching of Windows if Debian being used by default.
    • If Windows is to be used, commit to running Windows so it can be patched at least once per week.

Networks

GreenNet network

Mimics network as provisioned by a home-based ISP (non-static IP, very limited ACLs, etc.).

Instead of an ISP, the researcher's relationship is directly with CIT.

Requires a VPN (to re-log-in after 8 hours, if necessary) to access Eldor server.

No VPN required to print or access CIT SFS file shares.

ChemIT network

In general, these networks are reserved for systems managed by ChemIT.

  • Configuration, Active Directory log-in (enforcing p/w strength and consequences), patching oversight, anti-virus oversight.
    • A secure configuration for desktops includes not running server-like software (like SSH).
  • ChemIT responsible for the security of these networks.

The Freed research network has strong protections, by both a router and ACLs.

  • Does not permit in-bound SSH to desktop.

Systems in the ChemIT network are more vulnerable to each other than from outside-the-network systems.

  • Thus, must exert efforts to prevent situations in which a single compromised system becomes a launching-point to all the other systems on that same network.
  • No labels