+ Post New Thread
Results 1 to 7 of 7
O/S Deployment Thread, FOG security and other questions in Technical; Hello, We are currently using Zenworks Imaging for our Novell clients and Ghost for our AD clients but soon we ...
  1. #1

    Join Date
    Oct 2009
    Location
    Maine
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    FOG security and other questions

    Hello,

    We are currently using Zenworks Imaging for our Novell clients and Ghost for our AD clients but soon we will be going completely to Active Directory. Therefore I have been looking for an enterprise cloning solution. I have been looking at FOG, Clonezilla, WDS and Ghost Enterprise Solutions. I deployed a FOG server on VMware to test. While off for the weekend the server became compromised and had to be disabled. I am not an expert in Linux (but trying to learn), is there a best practice document on how to secure the linux server and FOG against attacks?

    I also have an question about imaging a local workstation with FOG. So far all I can find is that a workstation must be imaged with PXE to the FOG server. Is there a way to use FOG to image a workstation to and from a USB or mapped drive?

    Thanks for any help,
    Steve

  2. #2
    tommej's Avatar
    Join Date
    Oct 2009
    Location
    Lincolnshire
    Posts
    727
    Thank Post
    39
    Thanked 150 Times in 108 Posts
    Rep Power
    81
    Do you need internet access on the fog server? (assuming by compromised you mean by someone externally :P)

    Easiest way is to disable internet access i guess.

  3. #3

    Join Date
    Oct 2009
    Location
    Maine
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks for the reply.

    I had the server behind a NAT router to start the testing and it was safe but eventually we have to move it to the production network which is connected to the whole University network and internet. I could hide it somewhat from the Internet but then configuring the DHCP and DNS (which are on the main networks) would be even harder. Considering that the university network has thousands of student personal computers on it that would only be some help.

  4. #4

    Join Date
    Feb 2010
    Location
    France
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    FOG Security

    I all,

    FOG and security is a concern to me either.

    As I understand it securing FOG means securing TFTP, and that sounds somewhat like a dead-end. For sure some cutomization of the server's passwords, firewall, SSH conf, Web server conf and other confs I don't know would help, but FOG will remain unsecure in an unsecured environnement. As far as you can't control the devices on the subnet it will go down sooner or later.

    I'm intending to go for some tests in the next months on a scalable fog architecture and I'll tell you if I got some clues, not a linux specialist neither. One move could be to shorten the live cycle of the server, reduce is output capacities to minimum and secure the image delivery, I mean ensure that distributed images and pxe images are not corrupted, may be by using FOG as a one way only cloning device and placing file rights as to. AppArmor profile could be some help too, maybe.

    I'll focus on the basic security in my attemps as my main concern for now is using on a fixed unalterable DHCP's lan by testing some alleged "proxy DHCP" capabilities of dnsmasq 2.49. Would like to hear about that if some one knows over here.

    Untill know tested a FOG server only in lab lan, good and efficient work, out of the box and ready to mass-clone but DRBL sounds more convenient in this situation. FOG server, to me, is more a head for a 10/100 controled devices lan, small closed cells like classrooms or labs. For a windows devices management on a big open LAN and AD I'd think RIS/WDS or some win embeded technology.

  5. #5

    Join Date
    Feb 2010
    Location
    France
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Oh, forgot: for the record my organization runs three physical nets (public, administrative and educational controled devices), and on the secured administrative one they implanted ZenWorks imaging over the AD. Don't ask me how, some black magik forbidden breeding synchronization trick I guess. May be this solution can help and save licences you won't use if you simply abandon Novell, and as your net admins will need to synchonize novell to AD anyway for migration, why not?

  6. #6


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Theres a section on securing NFS here:
    Security and NFS

    I'd start there and then close down/secure any services your not using (nmap) then learn about SELinux and firewall rules (to restrict the IP addresses that you allow to connect). I'd agree with aslan that TFTP is inherently insecure, but I don't think that should be a major problem if you put it into a chroot jail.
    I'm sure it can be done securely if your willing to put the time in but at the end of the day just weigh it up against the cost/learning curve against another provider.

  7. #7

    Join Date
    Feb 2010
    Location
    France
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    FOG Security

    Agree with CyberNerd, for non native Linux speakers as us setting a secured FOG cost is high. My advice is to grab a Linux specialist on this, evaluate against other solutions and, if FOG sorts first, wich I doubt in your context, go for it as a central architecture project and team.

    If not you can keep it in a subnet you control and secure with firewalls. But would love to see a big secured FOG infrastructure, keep FOG project posted if your university goes for it.

    P.S:The FOG windows client, wich is central to management is also a concern admins won't miss.

SHARE:
+ Post New Thread

Similar Threads

  1. [Fog] FOG Help!
    By Dafty in forum O/S Deployment
    Replies: 2
    Last Post: 10th August 2011, 10:51 AM
  2. [Fog] Fog Documentation: How to delete a group of computers in FOG
    By ssx4life in forum O/S Deployment
    Replies: 1
    Last Post: 9th November 2009, 01:59 PM
  3. FOG v0.28
    By kevbaz in forum *nix
    Replies: 0
    Last Post: 29th September 2009, 03:17 PM
  4. [Fog] FOG
    By CheeseDog in forum O/S Deployment
    Replies: 5
    Last Post: 3rd March 2009, 09:54 AM
  5. Fog!
    By localzuk in forum Other Stuff
    Replies: 1
    Last Post: 23rd January 2007, 11:25 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •