[ale] Virtual machine questions for public use machines
Alex Carver
agcarver+ale at acarver.net
Sun Jan 25 20:21:22 EST 2015
This would work fine for any of the Win 7 machines. If we need one of
the Win XP machines (specific software issues) we can't attach them to
the network directly. VM with the host being an up-to-date Linux and
the VM is firewalled off is ok (per IT).
On 2015-01-25 16:54, Michael Trausch wrote:
> Maybe this is too simple but why not just make a base image. HDDs run a stage two bootloader to rsync the system to pristine state, which it then boots. Happens every 24 hours or every 7 days or whatever. Not every reboot of course because then you have to worry about a necessary reboot taking a long time.
>
> Sent from my iPhone
>
>> On Jan 24, 2015, at 6:09 PM, Alex Carver <agcarver+ale at acarver.net> wrote:
>>
>> Thanks but that's going a bit far for surfing. ;)
>>
>> These machines are in a cleanroom. Lab users could bring their own
>> laptops if they're willing to spend about half an hour physically
>> scrubbing them to remove dirt and skin oils. Most don't want to do that
>> so that's why there are general purpose (already physically cleaned)
>> machines inside. This VM idea is just a way of keeping pristine machine
>> software (the nightly dump and rinse) while having something behind them
>> (the host OS/firewall plus an external firewall) keep everything under
>> control. The machines themselves are just repurposed cast-offs from
>> other uses. Plenty of functionality but they weren't needed for their
>> original tasks any longer.
>>
>> We did have one of them get hit with a virus recently due to a
>> contaminated USB stick. Anti-virus missed it at first but traffic
>> monitors noticed it later. Having the ability to just flush the VM and
>> start over with a fresh copy would just make things easier.
>>
>> There's no need for smart-card or other central login because none of
>> these machines will be permitted to talk to any work host (they wouldn't
>> be able to reach the login server ;) ). External Internet destinations
>> (e.g. Google) and that's it.
>>
>>> On 2015-01-24 14:47, Justin W Elam wrote:
>>> Yes this is possible.
>>>
>>> I would advise to use a extender for the smartcard, monitor, sound, mouse
>>> and keyboard so that the terminal CPUs can be put in a secure, locked and
>>> CCTV monitored location. Some were able to integrate this into the monitor
>>> case.
>>>
>>> Sun used to have the Sun Ray system which was a possible solution but
>>> Oracle's price is now too high in my opinion.
>>>
>>> Have each terminal CPU be encrypted.
>>>
>>> Manage security via smart card or federated SSO LDAP username and password,
>>> one signon to logon to terminal, domain, and network servers.
>>>
>>> Script terminal to access a new VM session for each logon and at 0600 local
>>> Reboot the terminal.
>>>
>>> Then save the logins for user public123
>>>
>>> Configure VM only for OpenOffice and browser.
>>>
>>> Another option is to use a custom live disc that is placed in the terminal
>>> CPU and configure network or bios to reboot at 0600
>>>
>>> Another option is to place a switch at the terminal to reboot the machine,
>>> or allow cmd CTRL-ALT-DELETE to reboot terminal. And place sign stating
>>> before use reboot machine.
>>>
>>> The disc I have used is called
>>> LPS-Public-Deluxe.
>>>
>>> http://spi.dod.mil/lipose.htm
>>>
>>> http://www.wpafb.af.mil/news/story.asp?id=123189629
>>>
>>> Every so often the SPI office releases an upgrade that must be downloaded
>>> to a CDROM if you would like updates.
>>>
>>> Hope this helps your use case.
>>>
>>> Your mileage may vary.
>>>
>>> Good luck in your mission.
>>>
>>> Warm regards,
>>>
More information about the Ale
mailing list