ISAAC NEWTON GROUP OF TELESCOPES

LINUX USER REQUIREMENTS


The meeting to discuss Solaris, LINUX and network security was held on Wednesday 8 March at 11:00 in the SLO Conference Room. Present were Gordon Talbot, Danny Lennon, Nic Walton, Ian Skillen, Frank Gribbin, Dennis Armstrong and Craige Bevil.

1. Network Security design options: firewalls, tcp_wrappers, secure shells, etc.

CFG's decision to install tcp_wrappers was explained in some detail. Three alternative measures were mentioned and the following points covered:

Option 1. Firewall network topologies: DMZ and dual bastion hosts: external webservers and SMTP host
Multiple network connections via ORM IAC router preclude effective DMZ management. PowerWHT switch and IAC router configured for single-mode fibre interfaces, and inserting new a computer in chain increases expense at £1500 per fibre interface.

Option 2. IP filtering on routers. Requires separate IP subnets on each router interface. OK for SLO, but for PowerWHT (this is configured as a switch, not a router) would require 5 or 6 new subnets and complicated router management.

Option 3. tcp_wrappers. Speed of installation and ease of configuration. Low impact on data transfer rates. User impact has been well-managed and security completely tight since DCA's installation.

The use of secure shell was discussed. Although it provides the ultimate in authenticated security, users were finding it is now required for accessing university and research institutions. NAW recommended the OpenSSL version. Robert  had already installed a client, but there was now a need for "ssh" server on the ING compute servers.  An important point to emerge from the discussions was not that "ssh" should replace rlogins, rcp and telnet, but that it would provide interoperability.  NRJ pointed out that some instruments used FTP, hardcoded inside of applications to perform basic data transfer functions.  These instances would have to be completely removed before basic FTP, telnet, rlogin were removed and secure shell, ftp and telnet made the only access methods.

ACTION: CFG. Raise priority of introduction of secure shell installation

2. LINUX upgrade for Solaris workstations: Requirements Definition

2.1 Identification of systems under consideration

DBA split the installed base of UNIX computers in three categories and defined LINUX requirements on each:
 
Computer function Requirement
Some personal workstations in Astronomy and CSG Operating system installed and administered by workstation user who has root permission
Experimental services in Astronomy and CSG As above, but configured for server operation such as databases
Operational observing system computers and network servers No change to Solaris in next two years

The scope of the LINUX installations would cover only existing LINUX platforms and any new purchases. No changes were needed to existing computers. The current systems, all configured with RedHat 6.1 are

Computer name Owner Location
cbpc.ing-slo.iac.es Craige Bevil CB office Dell PC
rcpc.ing-slo.iac.es Robin Clark RC office Dell PC
rbpc.ing-slo.iac.es Richard Bassom RB office Dell PC
kampen.ing-slo.iac.es Nic Walton NW office Dell PC
tenku.ing-slo.iac.es Ian Skillen IS Office Dell PC

2.2 Goals

  1. To establish development platforms for LINUX applications. In particular, to support new project proposals such as the Laser Guide Star, and to prototype new database servers such as MySQL. Database development using a free database program for projects such as PATT schedules, filters, DIMM measurements, meteorological data would not require use of the fairly heavily loaded Sybase server on orion.
  2. To reap benefits of improved cost/performance ratios available with LINUX over Solaris, quoted by NAW as four times cheaper.  

2.3 Assumptions

  1. LINUX workstations will run standalone, with no NFS mounted partitions, no NIS+ network lookup services, no backups by Solaris programs.
  2. LINUX workstations will expect to contact Solaris servers for printing (pserver2.ing.iac.es) and mail (smtphost.ing.iac.es and mailhost.ing.iac.es).
  3. There are no requirements for central network shared resources, so no additional investment is needed in servers and disk space.

2.4 Objections

  1. CFG support currently covers Solaris, Open VMS, Windows 95, Windows NT. Adding a further operating system to their remit would stretch the skill base too far. To relieve CFG of managing the workstations, LINUX owners will be their system administrators.
  2. Currently, LINUX workstations are potential security threats to the ING IT security model. To complete the security matrix, LINUX workstation owners will install tcp_wrappers and be given copies copies of the /etc/syslogd.conf, /etc/hosts.allow and /etc/hosts.deny files by the Security Manager.
  3. LINUX workstations will be liable to random spot checks by the Security Manager to verify that the current LINUX security loopholes have been patched, and that the tcp_wrappers administration files are correctly configured.
  4. There will be no backup of LINUX workstations by CFG. Data backup is the responsibility of the workstation owners. To assist in this, a Sun Ultra 10 DAT drive will be moved to a LINUX workstation

Action: Don Carlos Abrams: Issue tcp_wrappers support files to the above list of workstation owners.

2.5 Restrictions

  1. If the workstation population grows above five workstations in a group, the Head of Engineering and Head of CFG will convene a meeting to ensure that LINUX applications are served from a central server, to minimise redundant parallel system administration and application administration by all workstation owners. A project proposal will be written and submitted to the EMM to request the funding of training in LINUX administration and Solaris/LINUX integration by CFG.
  2. At the same time, the implementation of NIS+ under LINUX will be inspected (under development at the time of writing), to see if efficiencies can be gained by making the workstations NIS+ trusted hosts. 
  3. To aid an ultimate integration with the Solaris NIS+ name service, it would save much time in the future if LINUX users adopted the same usernames, user IDs and group IDs as they are already assigned on Solaris.
  4. CFG will aid LINUX users in basic hardware maintenance of thier DELL PCs, covering diagnosis of failed PSUs, memory, etc. Beyond that, fault diagnosis must be carried out by the workstation owner, who is presumed skilled in these areas.

Action: All LINUX users: Change user IDs, group IDs and usernames to conform to existing Solaris entries.

Action: Danny Lennon: Select DAT drive to be moved, so that the Sun Ultra 10 can be reconfigured correctly

2.6 Topics requiring further investigation

  1. NIS+ integration with RedHat LINUX. Currently only SuSE LINUX seems to have implemented NIS+ support, but the product is still buggy.

2.7 Prioritised objectives

  1. tcp_wrappers installation
  2. user ID, group ID conformance
  3. Setting up DAT drives for backup
  4. secure shell server installation 

2.8 Physical requirements

  1. Access to the old sllx01 DAT drive for Craige Bevil.
  2. Move DAT from an Ultra 10 to tenku.

2.9 Agreement on current system shortcomings, future system requirements, anticipated benefits and recommendations

  As noted above, the status quo will be maintained apart from the addition of tcp_wrapper security to all LINUX workstations. CFG will provide print and mail services, and assign IP addresses to new machine names
 

Nick Johnson
File: slnt:\home\cfg\nrj\docs\projects\linux\meeting1_notes.htm
Version 1.0
March 8 2000