Joined: Tue Mar 27, 2007 2:49 am
|Posted: Wed Jan 11, 2012 3:46 am Post subject: [LXF153] Disconnected Debian question
|In LXF 153 James Grant asks about how to update a LAN with no connection to the internet and a network mirror is advised, with a separate harddrive to update this system. Although factually very correct and do-able, it is going to be a PITA to maintain. There is another method...
Now, I am aware that there's a very good reason for the system James describes not to have an internet connection, but with a few precautions system safety can remain uncompromised. The first action is to install a 2nd network card. I assume the server, as it's a stand-alone device, also runs a DHCP and DNS server. The latter is of no concern (and may even be omitted at James' workplace) but the former will play a role in securing the system against unwanted attention. This new network card will be connected to the company network and must be declared in /etc/network/interfaces as obtaining an IP address of said network via its DHCP server. However, it should not do so automatically!
Next step involves some scripting (I'll leave that to James ) to do the following:
Why only perform the update if all clients have returned their IP leases? Simple: if no other machine is online and connected, there's no chance of getting infected that way It is therefore important that all PC's connected to this LAN are properly shut down before the cronjob starts that updates the mirror. Furthermore: because the script shuts down the extra NIC (eth1), there can be no connection from the company network, and potential hazards coming from there, to this confined LAN.
- check if all clients have released their leases on the DHCP server of the stand-alone system
- start eth1, update the mirror, then shutdown eth1 again
With a bit more scripting this can be expanded to include the latest updates to the 4 LAN machines James referred to, by having the mirror update early in the weekend, when traffic levels at most company networks are low, and using WoL (Wake on LAN) packets to awake the machines about 2 hrs before workers are scheduled to arrive Monday morning and push the updates on each machine (in effect: having the script log in on each machine and force a dist-upgrade)
Do note that although the server has 2 NIC's, it is not a proxy! As there are no bridging rules to route traffic from the internal LAN to the company network (or vice versa) no machine on this LAN will have a connection to the internet, even if it would be online during the time the mirror is updating itself!
I hope Mr Grant will read this and gives it a try, and perhaps others in a similar situation will find it of benefit too I could have written in to LXF, but this is so much more convenient (and direct )