[X2Go-Commits] page changed: doc:deployment-stories:electronic-glovebox

wiki-admin at x2go.org wiki-admin at x2go.org
Wed Nov 20 11:01:44 CET 2013 

A page in your DokuWiki was added or changed. Here are the details:

Date        : 2013/11/20 10:01
Browser     : Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0
IP-Address  : 188.105.133.89
Hostname    : dslb-188-105-133-089.pools.arcor-ip.net
Old Revision: http://wiki.x2go.org/doku.php/doc:deployment-stories:electronic-glovebox?rev=1384941472
New Revision: http://wiki.x2go.org/doku.php/doc:deployment-stories:electronic-glovebox
Edit Summary: 
User        : stefanbaur

@@ -5,11 +5,11 @@
  The Electronic Glovebox is our implementation of a __Re__mote __Co__ntrolled __B__rowsers __S__ystem, ReCoBS.
  
  ReCoBS is a security concept designed by the German Federal Office for Information Security ([[https://www.bsi.bund.de/EN/Home/home_node.html|Bundesamt für Sicherheit in der Informationstechnik]], BSI).
  
- It places a Terminal Server (in our case, a Linux box running X2Go) in a demilitarized zone (DMZ) between two Firewalls. This Terminal Server may freely surf the
net, but it cannot initiate "downstream" connections towards the LAN. From the LAN side, it is possible to connect to the Terminal Server (in our case, via SSH), but direct outbound connections to the Internet are blocked by default.
+ It places a Terminal Server (in our case, a Linux box running X2Go) in a demilitarized zone (DMZ) between two Firewalls. This Terminal Server may freely surf the net, but it cannot initiate "downstream" connections towards the LAN. From the LAN side, it is possible to connect "upstream" to the Terminal Server (in our case, via X2Go/SSH), but direct outbound connections to the Internet are blocked by default.
  
- Where we're diverting from the standard ReCoBS approach is that we're using a single firewall with a third ethernet port for the DMZ, and we're running both the firewall and the X2Go Terminal Server as virtual machines on a stripped down Debian Linux with KVM.
+ Where we're diverting from the standard ReCoBS approach is that we're using a
single firewall with a third ethernet port for the DMZ, and we're running both the firewall and the X2Go Terminal Server as virtual machines on a stripped down Debian Linux with KVM. Also, we're providing a web proxy server with a default deny policy, so that you can whitelist "safe" domains like microsoft and antivirus updates, or online banking portals and access those using your locally installed browser or online banking software.
  
  While the system isn't limited to a particular hardware configuration (we've shipped regular midi-tower cases as well as 19", 1HU rack-mount servers), our standard model is a fanless (i.e. entirely passively cooled), very compact case with enough CPU and RAM for up to 5 concurrent users. A picture, showing the box on top of a stack of copy paper for easy size comparison, is available here: [[http://www.baur-itcs.de/20-servermodelle/10-lexcomputechtwister/]]
  
  This allows us to offer an affordable solution even for small offices like a general
practicioner's office.



-- 
This mail was generated by DokuWiki at
http://wiki.x2go.org/

More information about the x2go-commits mailing list