[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [school-discuss] security issues in K12LTSP
Daniel Howard wrote:
When the Ethernet cables are inadvertently swapped in a K12LTSP server,
and it proceeds to hand out IP addresses to windows PCs on the school
LAN, is it possible for it to also hand out IP addresses to other PCs on
the district WAN? Under these conditions, are there any increased
security risks from hackers, viruses, etc.?
Depends on the router configurations for your district WAN. Typically
the router has to have dhcp helper addresses in place to route DHCP
requests to servers on other networks. You probably don't have
seriously increased risk from the mistake, if the inside interface of
your server is on a private IP, and thus not routed to the Internet.
Again that depends on the configuration of the routers etc..
You can probably guess why I'm asking, and since then we have hardcoded
the MAC addresses of clients in each room to the server's dhcpd.conf
file and turned off dynamic DHCP, in case once again someone comes along
after us and rewires the rooms.
I also found a site that referred to the fact that very little security
was built into a default LTSP install, is this true for K12LTSP as
well? Is there a document for K12LTSP on enhancing security for it?
Here's the one I found for LTSP:
http://www.ltsp.org/contrib/ltsp-basic_security.html
That document looks pretty good, there is a bit more that can be done
with NFS, setting the ports it's daemons run on to help with
firewalling. You can easily check to see if your K12LTSP server has the
above measures in place. Fedora has lots of built in security you can
take advantage of. I would suggest applying regular updates, running a
tripwire of some sort and keeping a good backup as well.
- cameron