Difference between revisions of "Cube-Spoon secure link"

From Netsoc Wiki
Jump to: navigation, search
 
Line 1: Line 1:
 
There is a crossover cable between the secondary NICs of [[Spoon]] and [[Cube]], which admins can use to  
 
There is a crossover cable between the secondary NICs of [[Spoon]] and [[Cube]], which admins can use to  
access one machine from the other both directly and securely, without touching the untrusted College network. It's only blue
+
access one machine from the other both directly and securely, without touching the untrusted College network. It's the only blue
 
ethernet cable connected to either machine (cube's primary is red, spoon's is gray).
 
ethernet cable connected to either machine (cube's primary is red, spoon's is gray).
  

Latest revision as of 09:11, 5 February 2014

There is a crossover cable between the secondary NICs of Spoon and Cube, which admins can use to access one machine from the other both directly and securely, without touching the untrusted College network. It's the only blue ethernet cable connected to either machine (cube's primary is red, spoon's is gray).

Shorewall is configured appropriately on both machines (zone slan) to permit traffic to and from the other.

This is useful for things like backups, as since the data doesn't touch the College network, you don't need to encrypt the transfer:

[spoon] ~ > # dd if=/dev/sda of=/dev/stdout | pv | nc cuberoot-slan 4544

[cuberoot] ~ > # nc -lp 4544 | pv > important_backup

Another advantage of this is that the secure link is far less likely to be contended than the primary interface. However, you should bear in mind that Spoon's secondary NIC is only 100 Mbit/s.

The interfaces are currently assigned the following addresses:

[cuberoot] ~ > # cat /etc/hosts
127.0.0.1 localhost

# Secure crossover cable between cuberoot and spoon

192.168.42.1 spoon-slan
192.168.42.2 cuberoot-slan

To give us another way of getting root on Netsoc in case of LDAP going down, root login is enabled on each server over the secure link from the other server. Still, if cuberoot goes down, you're going to need to visit the server room to get root on Spoon.