From: roland <for...@gm...> - 2003-12-16 16:43:40
|
Hi sergeant :) >Is it feasible to use UML for this scenario, assuming the host machine is pwerful enough. running 50 uml`s at the same time on a single FAT host should _basically_ be possible, but not recommended. it absolutely depends of WHAT the users need todo INSIDE an uml. it`s really a matter of load, these 50 concurrent users will produce. so at least you need to estimate, what "average" and "maximum" load a user will generate, and test, how the system behaves in such situations. letting 50 users run hping,nmap and nessus on the same machine at the same time should generate a huge amount of load, IMHO - and this especially if inside an UML, because we have the "syscall-overhead". why not splitting things up? AFAIK, hping,nmap and nessus are basically usable on a "per user" basis from within a single OS. if you need to give the users root privileges, you could easily wrap those commands with "sudo" or make them suid - so, do you really need separate OS`s for every single user? why not giving them just an account and let them run a defined set of applications, configured for them individually? as a rule of thumb: what you can "multi instanciate" on a single box, you won`t need to run isolated inside separate ones. i think, you even should be able to run nessus on a per-user basis on a single box. at least there are configuration options for nessus, which give me that impression. from the nessusd manpage: nessusd [-v] [-h] [-c config-file] [-a address ] [-p port-number] [-D] [-d] -c <config-file>, --config-file=<config-file> Use the alternate configuration file instead of @NESSUSD_CONFDIR@/nessus/nessusd.conf -p <port-number>, --port=<port-number> Tell the server to listen on connection on the port <port-number> rather than listening on port 1241 (default). sure - here you need to do lots of configuration and testing, too.(i`m not sure - but you probably run into problems with the TCP/IP stack on a single system when doing agressive portscanning from within 50 useraccounts) plese see this just as an idea and a suggestion - i don`t know the very details of your scenario and perhaps there IS a real need for UML or similar, though. >Is there any easy way to create UMLs for new users? sure there is. you just need a read-only root-filesystem and can use the copy-on-write feature. so you can clone UML`s somewhat "on the fly". >Can the creation of a UML be automated? sure. shouldn`t be too hard, too. one recommended example to configure an uml from the "outside" is on the uml website. see: http://user-mode-linux.sourceforge.net/config.html >Would the maintenance of that many UMLs be too mcuh to handle? that depends on WHAT you need to maintain. if they just all need to be identical (and only differ in hostname/ip) that should be quite easy >Users will have access to their UML, and from there they should be able to run applications >like nmap, hping, nessus against an internal target network. Can UML handle applications such >as nmap or will there be problems? i think this should work. watch out for the uml-bridging howto for uml network configuration. if you setup the uml`s network in bridged mode, you shouldn`t run into problems with the hosts tcp/ip stack, because the host`s stack isn`t related to the uml`s at all and all he does is forwarding ethernet packets. regards roland ----- Original Message ----- From: Sgt B To: use...@li... Sent: Tuesday, December 16, 2003 4:47 PM Subject: [uml-user] Possible UML project undertaking. Have some questions. We're planning on setting up UML for an upcoming project. We're going to need approximately 250-300 seperate UMLs. Each user will have access to his/her own UML. We're expecting about 50 users online at any given time. Is it feasible to use UML for this scenario, assuming the host machine is pwerful enough. Is there any easy way to create UMLs for new users? Can the creation of a UML be automated? Would the maintenance of that many UMLs be too mcuh to handle? Another question... This project is a security based project. Users will have access to their UML, and from there they should be able to run applications like nmap, hping, nessus against an internal target network. Can UML handle applications such as nmap or will there be problems? Just wanted to ask before I dive into UML. Thanks! Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing |