You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Ideas to provision dual-OS, with one OS not supported by ChemIT.

Need

Run Linux OS which John is familiar with. And do so directly on the hardware to optimize performance.

  • Hence John's request for a Debian boot partition, which he can set up if we provision him with a Windows computer.

Unknown: Performance hit of running Debian as a guest of a Windows host machine.

General

Systems with OSes not supported by ChemIT run on Cornell's RedRover (wireless).

  • In special circumstances, especially for Cornell-owned hardware, they can be put on Cornell's "GreenNet" (ethernet)
  • ChemIT's networks are reserved for systems managed by ChemIT
    • Configuration, Active Directory log-in (enforcing p/w strength and consequences), patching oversight, anti-virus oversight.

Option table

Only list likely candidates, not all possible options.

Recommendations/
Preferences

 

Boot 1

Boot 2

Host

Guest

Network:
ChemIT or
GreenNet

Notes

 

Option 1

Windows

Debian

N/A

N/A

GreenNet

Easiest.

 

Option 2

Windows

When h/w performance needed:
Debian

Windows

Debian, from Boot 2 installation

ChemIT, if Windows is usually running.

Doable? Cost-effective, time-wise?

 

Option 3?

 

 

 

 

 

 

Specifics

OSes

John responsible for dual-boot capabilities. Can pull all networking info from Windows OS's configuration.

  • If ChemIT needed to reconfigure system, ChemIT only responsible for laying down a new Windows OS, w/ permission to reformat entire hard drive if necessary.

Windows cannot get patched unless it is running.

  • In a dual-boot configuration, long periods of time can elapse without patching of Windows if Debian being used by default.
    • If Windows is to be used, commit to running Windows so it can be patched at least once per week.

Networks

GreenNet network

Mimics network as provisioned by a home-based ISP (non-static IP, very limited ACLs, etc.).

Instead of an ISP, the researcher's relationship is directly with CIT.

Requires a VPN (to re-log-in after 8 hours, if necessary) to access Eldor server.

No VPN required to print or access CIT SFS file shares.

ChemIT network

In general, these networks are reserved for systems managed by ChemIT.

  • Configuration, Active Directory log-in (enforcing p/w strength and consequences), patching oversight, anti-virus oversight.
    • A secure configuration for desktops includes not running server-like software (like SSH).
  • ChemIT responsible for the security of these networks.

The Freed research network has strong protections, by both a router and ACLs.

  • Does not permit in-bound SSH to desktop.

Systems in the ChemIT network are more vulnerable to each other than from outside-the-network systems.

  • Thus, must exert efforts to prevent situations in which a single compromised system becomes a launching-point to all the other systems on that same network.
  • No labels