[Babase] Ranker security problems
Karl O. Pinc
kop at meme.com
Wed Aug 15 16:10:54 EDT 2007
Dear Susan, Hunter, Jun, et-al,
The Alberts lab has a custom program written for it,
the ranker. It runs on the client, PC or Mac, and
talks over the network to a PostgreSQL database on
papio.biology.duke.edu.
So that the ranker program can be used by collaborators
at Princeton, it has an IP address
(papio-vpn.biology.duke.edu) hardcoded into it that is
accessible only via a VPN -- established using OpenVPN
between the client desktop and Papio.
This appears to work fine for the staff at Princeton,
however the staff at Duke, notably Lacey Maryott
<lkm9 at duke.edu>, find that after a day the VPN
(OpenVPN) stops working. The presumption is that Duke
is doing something to their Microsoft Windows PCs every
night that detects and disables the VPN software.
Re-installing OpenVPN fixes the problem until the next
day.
There appear to be several ways to approach this
problem. Which one should we take?
1) Change the security regime at Duke so that it does
not disable the VPN software's installation on Lacey's
machine.
Lacey has attempted to investigate this with no
success.
2) Allow the ranker program to access the database
without using the VPN.
2a) This would mean allowing the Duke biology network
access to the PostgreSQL database on Papio. Hunter has
already approved this, so I imagine he would approve
this again. Karl would have to re-enable encrypted
network access to the database on Papio. (At present
the database server's database is reachable only via
the virtual network running inside Papio.)
2b) The ranker program would have to be altered so that
it will work both with and without the VPN running, for
users at Princeton and Duke respectively. This means
changing the ranker so that it attempts to connect both
via the VPN (to papio-vpn.biology.duke.edu) and
directly over the local network (to
papio.biology.duke.edu). This may need to be
coordinated with Dr. Jun Yang of Duke University, who
supervised the coding of the program.
Better yet, the ranker could ask about the machine to
which it should connect.
This may be the best solution for the long-term.
3) Use Duke supported VPN software rather than OpenVPN.
3a) This would involve getting Duke to grant VPN access
to Princeton project members, and coordinating support
for installation and troubleshooting at Princeton etc.
3b) We'd need to do step 2a so that both the Princeton
and Duke staff would have access to the database over
the local Duke network.
3c) We'd need to modify the ranker program (as in 2b)
so that it connects to Papio using Papio's regular IP.
This choice seems a bit involved.
4) Avoid Microsoft security issues by using a Mac.
Lacey could attempt to install OpenVPN on a Mac and see
how well that works. There are likely different
security policies for Apple and Microsoft Machines. If
that works then the ranker can be run from Macs at
Duke.
This is worth trying because Susan has a Mac and we'll
need to get that running the ranker anyway.
5) Rewrite the ranker so that it runs over the web.
I'm just brainstorming here, in case this sparks an
idea in someone.
This would be stupid, for many reasons, but would solve
such problems forever. By running in the browser and
using HTTP for transport you avoid problems of software
installation, security, and firewalls. One approach
would be to use javascript, the Gecko DOM and XUL, with
AJAX and PHP on the server side.
6) Do something else I've not thought of.
Karl <kop at meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
More information about the Babase
mailing list