[ale] Virtual machine questions for public use machines

Alex Carver agcarver+ale at acarver.net
Sat Jan 24 18:09:56 EST 2015


Thanks but that's going a bit far for surfing. ;)

These machines are in a cleanroom.  Lab users could bring their own
laptops if they're willing to spend about half an hour physically
scrubbing them to remove dirt and skin oils.  Most don't want to do that
so that's why there are general purpose (already physically cleaned)
machines inside.  This VM idea is just a way of keeping pristine machine
software (the nightly dump and rinse) while having something behind them
(the host OS/firewall plus an external firewall) keep everything under
control.  The machines themselves are just repurposed cast-offs from
other uses.  Plenty of functionality but they weren't needed for their
original tasks any longer.

We did have one of them get hit with a virus recently due to a
contaminated USB stick.  Anti-virus missed it at first but traffic
monitors noticed it later.  Having the ability to just flush the VM and
start over with a fresh copy would just make things easier.

There's no need for smart-card or other central login because none of
these machines will be permitted to talk to any work host (they wouldn't
be able to reach the login server ;) ).  External Internet destinations
(e.g. Google) and that's it.

On 2015-01-24 14:47, Justin W Elam wrote:
> Yes this is possible.
> 
> I would advise to use a extender for the smartcard, monitor, sound, mouse
> and keyboard so that the terminal CPUs can be put in a secure, locked and
> CCTV monitored location. Some were able to integrate this into the monitor
> case.
> 
> Sun used to have the Sun Ray system which was a possible solution but
> Oracle's price is now too high in my opinion.
> 
> Have each terminal CPU be encrypted.
> 
> Manage security via smart card or federated SSO LDAP username and password,
> one signon to logon to terminal, domain, and network servers.
> 
> Script terminal to access a new VM session for each logon and at 0600 local
> Reboot the terminal.
> 
> Then save the logins for user public123
> 
> Configure VM only for OpenOffice and browser.
> 
> Another option is to use a custom live disc that is placed in the terminal
> CPU and configure network or bios to reboot at 0600
> 
> Another option is to place a switch at the terminal to reboot the machine,
> or allow cmd CTRL-ALT-DELETE to reboot terminal. And place sign stating
> before use reboot machine.
> 
> The disc I have used is called
> LPS-Public-Deluxe.
> 
> http://spi.dod.mil/lipose.htm
> 
> http://www.wpafb.af.mil/news/story.asp?id=123189629
> 
> Every so often the SPI office releases an upgrade that must be downloaded
> to a CDROM if you would like updates.
> 
> Hope this helps your use case.
> 
> Your mileage may vary.
> 
> Good luck in your mission.
> 
> Warm regards,
> 
> --
> -------------------------------------
> Justin W Elam
> E-mail :> justin.w.elam at gmail.com
> ###
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 



More information about the Ale mailing list