Loading
A Secure Bioinformatics Linux Lab in an Educational Research Environment
How one university department set up labs between campuses.
In delivering a new bioinformatics curriculum in the Graduate School at the University of Medicine and Dentistry of New Jersey, we undertook the challenge of incorporating new computational resources over an existing research support infrastructure, adding new services and platforms and reacting to an increasingly burdensome responsibility to protect ourselves from network threats. Our new environment spans two cities and links Linux workstations, Linux servers, Silicon Graphics workstations, a Sun 6800 Enterprise Server and the Internet. Open-source solutions combined with selective use of commercial resources integrate in a cost-effective, service-friendly, bioinformatics research environment. In this report, we describe solutions to a set of challenges in our core, Linux-driven server/client environment.
As with many universities, our public computer labs are Microsoft boxes with the Office suite, and we have a set of clients--Web, secure telnet, secure FTP, IMAP2 mail and X. The bioinformatics software the university hosted lay behind these workstations, on Sun/Solaris and SGI/Irix servers. We needed an environment in which we could do several things: (1) manage workstations efficiently, (2) quickly add or delete applications, (3) rebuild workstations, (4) ensure availability and storage and (5) address network and data security issues.
We recognized that software and configuration information should be stored in a centralized server and available to authenticated clients. Our generic Web and e-mail servers already were overburdened with these services. In addition, each of those servers faced its own distinctive security threats and solutions. A better approach would be to establish a separate server dedicated to serving the scientific community, a scientific server. We needed to bring this project in on a modest budget.
Almost any server/workstation environment dedicated to scientific research might have offered multiple benefits,including parallel processing, centralized administration and secure storage systems. However, many fail in an important aspect in our two-city arena. We have a high demand for visualization, and users need X server clients such as ReflectionX, Exceed and Cygwin. X server clients display graphical interfaces to users accessing programs on a server or an X client. Most molecular modeling software requires visualization using OpenGL. In a local area network, this kind of architecture should suffice. However, our intercampus network was not always up to the task.
Our solution to this set of challenges was to build a bioinformatics computer lab environment dedicated to teaching and research. This lab is designed to be secure, resilient to attacks and failure and adaptable to an array of software and modes of access by authenticated users.
We began with the operating system choice. We elected Linux, for many of the usual reasons: open-source, secure, easily manageable and free availability made it attractive in an educational environment with limited funds. But in that economic mood, we still chose one step up, selecting Red Hat Enterprise Linux due to the support that commercial systems provide, including workstation monitoring, patches and upgrades using the Red Hat Network. We went with Intel x86 computers because we had a number on hand and they made good economic sense. Plus, if we were to fail, we still would have boxes that otherwise could be deployed.
As now deployed, our Piscataway lab has 14 Red Hat Enterprise Linux workstations and two Enterprise Linux servers. In the Newark lab, (where the facility is smaller), we have four Red Hat Enterprise Linux workstations and one Enterprise Linux server. All Piscataway workstations are identical in terms of hardware, as are all Newark workstations; there are minor differences between the two sets, however.
We outlined a set of initial tasks: build a server to run DHCP, host Red Hat CDs for Kickstart installations, authenticate users, host users' home directories and provide a Web and database server. To that end, we did an installation of Red Hat Enterprise Linux AS on two separate PCs in Piscataway and one in Newark to act as our servers--one primary, one backup and one Web/database server.
We also needed DHCP services to permit authorized users access to the network with personal laptops and not to run our workstations. Accommodating the laptop users, the MAC address of a user's laptop was determined, and for each laptop we have an entry similar to the following, where each host is identified by the user's username.
subnet 192.168.1.0 netmask 255.255.255.0 {
deny unknown-clients;
# DHCP range
range 192.168.1.240 192.168.1.245;
# known clients
host golharam { hardware ethernet 00:12:34:56:78:90; }
...
}
______________________
White Paper
Fabric-Based Computing Enables Optimized Hyperscale Data Centers
Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- New Products
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- RSS Feeds
- New Products
- Trying to Tame the Tablet
- What's the tweeting protocol?
- Dart: a New Web Programming Experience
- Hey God - You may not be
24 min 7 sec ago - Reply to comment | Linux Journal
2 hours 56 min ago - Drupal is an Awesome CMS and a Crappy development framework
7 hours 35 min ago - IT industry leaders
9 hours 58 min ago - Reply to comment | Linux Journal
1 day 2 hours ago - Reply to comment | Linux Journal
1 day 5 hours ago - Reply to comment | Linux Journal
1 day 6 hours ago - great post
1 day 7 hours ago - Google Docs
1 day 7 hours ago - Reply to comment | Linux Journal
1 day 12 hours ago
Enter to Win an Adafruit Prototyping Pi Plate Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Prototyping Pi Plate Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- Next winner announced on 5-21-13!
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.
Developer Poll
Comments
We recognized that software
We recognized that software and configuration information should be stored in a centralized server and available to authenticated clients. Our generic Web and e-mail servers already were overburdened with these services. In addition, each of those servers faced its own distinctive security threats and solutions. A better approach would be to establish a separate server dedicated to serving the scientific community, a scientific server. We needed to bring this project in on a modest budget. I think that this is clever idea. Budget is all it is about.
Tom
The server firewall allows
The server firewall allows incoming SSH traffic from anywhere. It then performs IP address filtering to allow only certain IP addresses access to more open resources, such as NFS, LDAP, CUPS and the FlexLM license server. The Web server uses a slightly different setup to allow only incoming SSH and HTTP traffic.
Re: A Secure Bioinformatics Linux Lab in an Educational Research
I am curious as to why you would add new users with the username and the password being the same, also why no minimum password expiration was given (possibly this was for the sake of the article, if not, then publishing the lab/machine names and the fact that default usernames are replicated for passwords would be twice as bad)?
Below is a simple suggestion for a perl subrouting which can be modified to your liking to generate semi-random passwords.
sub make_pass {
use String::Random;
$pass = new String::Random;
$pass=$pass->randpattern("CCnnccC"); #change this
print "New password is $pass
";
$pwd = (getpwuid($<))[1];
$salt = substr($pwd, 0, 2);
$salt = substr($pwd, 0, 2);
$newpass=crypt($pass, $salt);
print "New crypt is $newpass
";
}
Maybe I just overlooked where the users are forced to change their password on the initial login.
Good to see some more ink dealing with research institutions.
Phil M.
San Diego
passwd command on Linux works just fine with LDAP
We are also a bioinformatics lab, although a smaller one with a bit less teaching responsibilities. We moved from NIS to LDAP authentication about six months ago. The passwd command on modern Linuces knows how to deal with LDAP and can change passwords in a LDAP directory just fine. Users must have write access to their own passwords in the LDAP directory for this to work, but that is trivial to configure.
Scripting languages like Perl and Python can generate passwords encrypted in various ways, so I do not quite see why the change_password_perlscript invokes the 'passwd' command and uses a local /etc/shadow file from which the encrypted password is stripped. Seems like climbing to the tree backwards when the necessary LDIF could be generated in the script directly.
A nice graphical LDAP browser/editor named LUMA (project on Sourceforge) can do mass-creation of users and passwors. Unfortunately the working versions of LUMA depend on new versions of other packages, so getting it to run on anything but the latest distros can be an excercise.
Hostname "hydrogen"
I used to work at a place where the hostnames were element names, by atomic number -- if you knew your periodic table you didn't need the DNS server, which I think was lithium. Hydrogen was the gateway,