Note to those reading via rss/atom, there are images in this post that you likely can't see.
Computer locks are a necesary evil in many places. The computer lab I support is one such place. We do not go so far as to lockdown the keyboards and mice (I have seen places that do this, and it usually makes the working conditions for users much worse), but we do lockdown the computers, monitors, printers, and such.
Right now, we use like keyed normal Master Lock padlocks, and like keyed Master Lock padlock cables (as shown here)
The computer is locked closed with the padlock, which has the cable lock run through it. The cable is looped through the stand of the monitor and locked to the desk. (shown below)
Now those familar with Dell flat panels most likely realize that this is not secure, as the flat panel itself is attached to the stand by screws that would stop a thief for maybe a minute or three. Dell would have us use the thoughtfully supplied Kensington Security Slot (slightly blurry picture below).
Now the lock required to use that security slot (picture of a typical example below) would cost a normal consumer $40. A like keyed set of 25 would cost about $30 a lock. That's quite a bit of a difference than the $2 padlocks and $15 cables we bought in the past.
A slight tangent: I don't actually dislike the Kensington
Security Lock system. I think it is wonderful that there is a sane
non-mandated standard for locking down portable devices. I even carry one of their retractable locks with me in my laptop goodie bag. What I object to, is the price, and the instance on using it for larger devices. A monitor is easily large enough to accommodate a security hole large enough for a standard padlock. It would certainly be trivial to include a decent locking point on a 100 pound server, yet Dell did not in the most recent server we purchased from them.
Unfortunately it does not appear as if we are going to have much choice in the future. The current generation of monitors from Dell have a stand that can be removed at the touch of a button (and thus necessitate use of the Kensington locks), and their desktops use custom lock mechanisms (see below for an example) (that custom lock mechanism from Dell costs $30 btw).
Apparently I will have to factor in a few thousand dollars for locks and related bits and pieces when we next upgrade the lab.
This week I tested a half dozen linux and bsd based firewall distributions (ClarkConnect, M0n0wall, Smoothwall Express, SME Server, IPCop, and RedWall if you care). I tested each with three windows clients, a windows servers, and a linux server behind them. I did this all from the comfort of my laptop. I did this with VMWare Workstation
VMWare makes virtualization products (more info here, here, and here). I first learned of VMWare Workstation (version 2 if I recall) in college when they succesfully lured me into their shinyness with a $99 academic license. I toyed with it through college (mostly running CorelDraw while my machine was booted into Linux), yet forgot about it for a few years.
About a year into the job, I purchased and began using VMWare GSX Server for server consolidation I used it quite conservatively (more on that process some other day). I didn't quite learn how much glee VMWare could bring me until I recieved a copy of Workstation for attending one of their sales seminars. But this isn't a piece on all the things I have done with VMWare Workstation, this is a description of how I used it to test Firewalls.
The first thing I needed was a handful of basic virtual machine setups. That was easy, considering I already have standard virtual machine images setup for a linux server, a windows server, and the three windows workstation setups I use.
Next I installed a firewall, configured it, and connected it to a virtual network. VMWare's virtual network setup enables you to connect virtual machines in various ways without having to get a real switch involved.
Next I installed a firewall, configured it, and connected it to a virtual network. VMWare's virtual network setup enables you to connect virtual machines in various ways without having to get a real switch involved.
Finally I powered up a handful of virtual machines and tested the actual behavior of the firewall. I experimented with the admin interface (which are mostly web based); watched the logs as I did things that should and should not show up there; tested general performance; and timed reboot times. Now I couldn't test throughput this way. While I was doing these tests, my laptop was hammered in pretty much everyway. While I could get an idea at how well a firewall could handle lower traffic levels (in the 10mg range), I couldn't test it at 100 (most linux and bsd distributions do not have the needed drivers to enable a faster than 10mb network card within VMWare). These tests will have to happen in the real world.
With this general setup I could perform basic testing on a firewall setup in about 30 minutes. Having performed this type of testing with real machines in the past, I would estimate a savings of about 4 hours for the initial setup and about an hour per firewall. I wouldn't have to go through that initial setup if I actually had the funds, space, and assistance to have a proper test lab with a variety of spare. The testing of each firewall was sped up in ways that couldn't be done with physical machines. A key item for this testing was the ability to take snapshots (a save of the state of a virtual machine) of both the firewall and the test machines. With these snapshots, I could bring back the exact same setup over and over again in just a minute or two.
The story of what firewall I choose and why is for another week.
