Difference between revisions of "Closetbox2"

From Technologia Incognita
Jump to: navigation, search
m
m
 
(One intermediate revision by the same user not shown)
Line 2: Line 2:
  
 
As an alternative look on the closetbox proposed by Chotee and others, and sharing many similarities especially in regards to services and software with that, I went with a different approach, more aimed at power users/hackers than something you could give to your aunt/nephew to install in their closets for little money.
 
As an alternative look on the closetbox proposed by Chotee and others, and sharing many similarities especially in regards to services and software with that, I went with a different approach, more aimed at power users/hackers than something you could give to your aunt/nephew to install in their closets for little money.
 +
 +
== Requirements ==
  
 
My set of requirements is different / more demanding:
 
My set of requirements is different / more demanding:
Line 8: Line 10:
 
* In fact, I would like to even isolate cloud services from each other; so a dropbox or chat service compromise can not jeopardize email, for example.
 
* In fact, I would like to even isolate cloud services from each other; so a dropbox or chat service compromise can not jeopardize email, for example.
 
* Bonus points for possibilities to run honeypots, VPNs, in a fully isolated environment.
 
* Bonus points for possibilities to run honeypots, VPNs, in a fully isolated environment.
 +
 +
== The core hardware ==
  
 
Using ARM devices proved a little difficult since I could not find any/many with two NIC's, let alone more. A router like Carambola2 with OpenWRT offers two NICs plus wifi. This had/has my interest until I found a low-power dual core x86 board with 3x Gbit LAN for 155 euros: PC Engines ALIX.APU1C:
 
Using ARM devices proved a little difficult since I could not find any/many with two NIC's, let alone more. A router like Carambola2 with OpenWRT offers two NICs plus wifi. This had/has my interest until I found a low-power dual core x86 board with 3x Gbit LAN for 155 euros: PC Engines ALIX.APU1C:
Line 16: Line 20:
 
* Virtualisation extensions, so can run KVM/Virtualbox etc.
 
* Virtualisation extensions, so can run KVM/Virtualbox etc.
 
* Power consumption still only 6-12 watts
 
* Power consumption still only 6-12 watts
 +
 +
[http://www.pcengines.ch/pic/apu1c1.jpg photo]
  
 
This offers so much possibilities that I immediately ordered it. You can opt for running fully sandboxed machines as VMs, but also by adding small RasPi/Beaglebone-type machines to the DMZ NIC port. You have full flexibility. You have full I/O speed with this, unlike RasPi systems, and it is fully prepared for the >100Mbit fibre future with gigabit NICs.
 
This offers so much possibilities that I immediately ordered it. You can opt for running fully sandboxed machines as VMs, but also by adding small RasPi/Beaglebone-type machines to the DMZ NIC port. You have full flexibility. You have full I/O speed with this, unlike RasPi systems, and it is fully prepared for the >100Mbit fibre future with gigabit NICs.
 +
 +
== Filling in the details ==
  
 
There are still some issues to be solved for my use case; like how to obtain the required fourth NIC. This can be done with an USB-based NIC, or by using VLANs. And the questions of which OS, which VM platform, which services, adding many additional SBC's or not. In the coming period I hope to find suitable answers to these questions. I will also need to install all these new private cloud solutions I'm unfamiliar with, and I look forward to work together with the Closetbox crew to tackle such issues, where we appear to converge.
 
There are still some issues to be solved for my use case; like how to obtain the required fourth NIC. This can be done with an USB-based NIC, or by using VLANs. And the questions of which OS, which VM platform, which services, adding many additional SBC's or not. In the coming period I hope to find suitable answers to these questions. I will also need to install all these new private cloud solutions I'm unfamiliar with, and I look forward to work together with the Closetbox crew to tackle such issues, where we appear to converge.

Latest revision as of 03:20, 7 March 2014

Preface

As an alternative look on the closetbox proposed by Chotee and others, and sharing many similarities especially in regards to services and software with that, I went with a different approach, more aimed at power users/hackers than something you could give to your aunt/nephew to install in their closets for little money.

Requirements

My set of requirements is different / more demanding:

  • Can use two DSL/Cable lines parallel, not using channel bundling but as a means to limit downtime by redundancy, and preserve low latency despite high traffic.
  • Must offer a DMZ or other means to isolate services, a sandbox that limits exposure of the LAN section should some 'private cloud' service be exploited.
  • In fact, I would like to even isolate cloud services from each other; so a dropbox or chat service compromise can not jeopardize email, for example.
  • Bonus points for possibilities to run honeypots, VPNs, in a fully isolated environment.

The core hardware

Using ARM devices proved a little difficult since I could not find any/many with two NIC's, let alone more. A router like Carambola2 with OpenWRT offers two NICs plus wifi. This had/has my interest until I found a low-power dual core x86 board with 3x Gbit LAN for 155 euros: PC Engines ALIX.APU1C:

  • Fully compatible with x86 so no OS change necessary
  • 1GHz AMD SBC with 2 cores & 2 GB RAM (non-expandable)
  • SATA, mSATA, SDcard, 3x Gigabit LAN
  • Mini PCIe Slots, Console port, GPIO pins
  • Virtualisation extensions, so can run KVM/Virtualbox etc.
  • Power consumption still only 6-12 watts

photo

This offers so much possibilities that I immediately ordered it. You can opt for running fully sandboxed machines as VMs, but also by adding small RasPi/Beaglebone-type machines to the DMZ NIC port. You have full flexibility. You have full I/O speed with this, unlike RasPi systems, and it is fully prepared for the >100Mbit fibre future with gigabit NICs.

Filling in the details

There are still some issues to be solved for my use case; like how to obtain the required fourth NIC. This can be done with an USB-based NIC, or by using VLANs. And the questions of which OS, which VM platform, which services, adding many additional SBC's or not. In the coming period I hope to find suitable answers to these questions. I will also need to install all these new private cloud solutions I'm unfamiliar with, and I look forward to work together with the Closetbox crew to tackle such issues, where we appear to converge.