Cube-Spoon secure link

From Netsoc Wiki
Jump to: navigation, search

There is a crossover cable between the secondary NICs of Spoon and Cube, which admins can use to access one machine from the other both directly and securely, without touching the untrusted College network. It's the only blue ethernet cable connected to either machine (cube's primary is red, spoon's is gray).

Shorewall is configured appropriately on both machines (zone slan) to permit traffic to and from the other.

This is useful for things like backups, as since the data doesn't touch the College network, you don't need to encrypt the transfer:

[spoon] ~ > # dd if=/dev/sda of=/dev/stdout | pv | nc cuberoot-slan 4544

[cuberoot] ~ > # nc -lp 4544 | pv > important_backup

Another advantage of this is that the secure link is far less likely to be contended than the primary interface. However, you should bear in mind that Spoon's secondary NIC is only 100 Mbit/s.

The interfaces are currently assigned the following addresses:

[cuberoot] ~ > # cat /etc/hosts
127.0.0.1 localhost

# Secure crossover cable between cuberoot and spoon

192.168.42.1 spoon-slan
192.168.42.2 cuberoot-slan

To give us another way of getting root on Netsoc in case of LDAP going down, root login is enabled on each server over the secure link from the other server. Still, if cuberoot goes down, you're going to need to visit the server room to get root on Spoon.