| BSDI Image/GPS/Security | ||||||||||
|
At this time all Surveyor nodes are running BSDI BSD/OS 3.1, kernel #2. The
group working on the new image side of the infrastructure decided to upgrade
these systems to Debian GNU/Linux 3.0. One of the main capabilities of Surveyor is its GPS capability. This allows for exact network measurements on an order of fractions of a second between any machine running Surveyor when running tests. A thrid concern was that of security. If these machines are available as a measurement infrastructure for the community of those interested in network measurement, it should be used as such, not for other agendas. Therefore, the services and permissions made available should follow certain security measures. The image being developed still needs to incorporate the following suggestions provided by Dave Plonka: "You should look at the BSDI Surveyor machines and see which services they are running now - or were running when they were in good shape. A good way to do that is is with lsof, if its installed: % lsof -i # lists all open Internet sockets If lsof isn't installed use netstat: % netstat -a --inet # BSD might not have the "--inet" option Anyway, once you know which services you will be running, you can make informed decisions about how to keep them secure. If you're on a current version of Debian, you'll be able to use dselect/dpkg to upgrade the affected packages when security-related flaws are fixed. One of the other best ways, but sometimes inconvenient, is to maintain a set of host-based firewall rules that have the kernel discard packets destined for the firewalled services unless they are from the right host addresses. If you're using a Linux 2.2 kernel, then you'd use ipchains to do this. If you're using a 2.4 kernel, then either iptables is a better choice - otherwise there is an ipchains compatibility module that lets you use the ipchains command to configure the firewall." |