[H-GEN] Secure and low bandwidth X through wireless broadband.

Sun Jun 25 00:51:26 EDT 2006

I'm thinking about options for setting up a single secure and low
bandwidth X session via wireless broadband.  I'd like to take advantage
of any experience HUMBUG members may have.  This is for the purposes of
managing a corporate LAN (mixed Windows and Linux) in Ipswich from my
home in New Farm (and HUMBUG meetings if needed).  Unfortunately, one of
the systems I have to manage only has a Windows GUI management
interface.  The company is paranoid about security.

A solution I am considering is to setup X & qemu on one of the linux
boxes, install Windows on qemu, run the management GUI on it, and
export the X over a secure link.  X or VNC or some other protocol can
be used for the export.  Tunnelling via ssh is preferred as ssh is used
for all the other management stuff, and this means only the one hole is
needed in the firewall.  This Windows under qemu will then be
completely isolated from the outside network as it's only getting it's
screen scraped and exported via the local X, and it can safely be
connected to the internal LAN with no extra security issues.  I can
even go one step further, as the Windows management GUI only needs to
talk to one other box in the inside, so a dedicated link can be setup
if needed.  Did I mention they are paranoid?  B-)

Wireless broadband is being used because that's what I have, and I can
take it with me to places like HUMBUG meetings.  Those that have been
paying attention will have seen the iBurst bridge sitting on top of my
computer at meetings.  I need to keep the X link low bandwidth to help
keep below my monthly usage limit, and because once I have gone over my
monthly limit, I get capped at dialup speeds.  I'm still in
negotiations with this company, but getting them to pay for an increase
in bandwidth and limits for me is on the table.  I would still prefer
to keep the X bandwidth usage to a minimum.  There is also the issue
that wireless broadband is a little laggy.  On the other hand, after
the initial setup phase is over, I expect that usage of this Windows
management GUI will only be needed sporadically, whenever something
needs to be changed.

I have complete control of the Linux boxes, including the firewall.
The firewall is Debian stable, and the others are Debian testing.  All
are recently installed (last week).  One of the internal Linux boxes is
a severely over powered Xeon with SCSI raid, way too much ram, and other
over the top things that will mostly be idle for it's assigned task.  I
wasn't involved in the hardware decisions, I'm just using whatever
hardware was supplied.  The Xeon should have sufficient spare capacity
to run qemu + Windows on an as needed basis.  The Windows management GUI
prefers Windows XP Professional, which is handy as most of the rest of
the Windows boxes also run XP Pro, they have enough licenses to spare,
they have in house expertise so that I don't have to deal with Windows
much, and qemu works with XP Pro as a guest OS.

The options I can think of are to tunnel X via ssh or use VNC, maybe
tunnelled via ssh.  Both have low bandwidth options, but security has
priority if it comes to a trade off.  This is where the experience of
humbuggers is needed.  Are there any other options that I should
consider?  Which one tends to be more secure / lower bandwidth in the
field?  Are any of these options better at dealing with wireless lag
than others?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.humbug.org.au/pipermail/general/attachments/20060625/11d23449/attachment.sig>