From: Sgt B <sgt...@ya...> - 2003-12-16 15:47:59
|
We're planning on setting up UML for an upcoming project. We're going to need approximately 250-300 seperate UMLs. Each user will have access to his/her own UML. We're expecting about 50 users online at any given time. Is it feasible to use UML for this scenario, assuming the host machine is pwerful enough. Is there any easy way to create UMLs for new users? Can the creation of a UML be automated? Would the maintenance of that many UMLs be too mcuh to handle? Another question... This project is a security based project. Users will have access to their UML, and from there they should be able to run applications like nmap, hping, nessus against an internal target network. Can UML handle applications such as nmap or will there be problems? Just wanted to ask before I dive into UML. Thanks! --------------------------------- Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing |
From: roland <for...@gm...> - 2003-12-16 16:43:40
|
Hi sergeant :) >Is it feasible to use UML for this scenario, assuming the host machine is pwerful enough. running 50 uml`s at the same time on a single FAT host should _basically_ be possible, but not recommended. it absolutely depends of WHAT the users need todo INSIDE an uml. it`s really a matter of load, these 50 concurrent users will produce. so at least you need to estimate, what "average" and "maximum" load a user will generate, and test, how the system behaves in such situations. letting 50 users run hping,nmap and nessus on the same machine at the same time should generate a huge amount of load, IMHO - and this especially if inside an UML, because we have the "syscall-overhead". why not splitting things up? AFAIK, hping,nmap and nessus are basically usable on a "per user" basis from within a single OS. if you need to give the users root privileges, you could easily wrap those commands with "sudo" or make them suid - so, do you really need separate OS`s for every single user? why not giving them just an account and let them run a defined set of applications, configured for them individually? as a rule of thumb: what you can "multi instanciate" on a single box, you won`t need to run isolated inside separate ones. i think, you even should be able to run nessus on a per-user basis on a single box. at least there are configuration options for nessus, which give me that impression. from the nessusd manpage: nessusd [-v] [-h] [-c config-file] [-a address ] [-p port-number] [-D] [-d] -c <config-file>, --config-file=<config-file> Use the alternate configuration file instead of @NESSUSD_CONFDIR@/nessus/nessusd.conf -p <port-number>, --port=<port-number> Tell the server to listen on connection on the port <port-number> rather than listening on port 1241 (default). sure - here you need to do lots of configuration and testing, too.(i`m not sure - but you probably run into problems with the TCP/IP stack on a single system when doing agressive portscanning from within 50 useraccounts) plese see this just as an idea and a suggestion - i don`t know the very details of your scenario and perhaps there IS a real need for UML or similar, though. >Is there any easy way to create UMLs for new users? sure there is. you just need a read-only root-filesystem and can use the copy-on-write feature. so you can clone UML`s somewhat "on the fly". >Can the creation of a UML be automated? sure. shouldn`t be too hard, too. one recommended example to configure an uml from the "outside" is on the uml website. see: http://user-mode-linux.sourceforge.net/config.html >Would the maintenance of that many UMLs be too mcuh to handle? that depends on WHAT you need to maintain. if they just all need to be identical (and only differ in hostname/ip) that should be quite easy >Users will have access to their UML, and from there they should be able to run applications >like nmap, hping, nessus against an internal target network. Can UML handle applications such >as nmap or will there be problems? i think this should work. watch out for the uml-bridging howto for uml network configuration. if you setup the uml`s network in bridged mode, you shouldn`t run into problems with the hosts tcp/ip stack, because the host`s stack isn`t related to the uml`s at all and all he does is forwarding ethernet packets. regards roland ----- Original Message ----- From: Sgt B To: use...@li... Sent: Tuesday, December 16, 2003 4:47 PM Subject: [uml-user] Possible UML project undertaking. Have some questions. We're planning on setting up UML for an upcoming project. We're going to need approximately 250-300 seperate UMLs. Each user will have access to his/her own UML. We're expecting about 50 users online at any given time. Is it feasible to use UML for this scenario, assuming the host machine is pwerful enough. Is there any easy way to create UMLs for new users? Can the creation of a UML be automated? Would the maintenance of that many UMLs be too mcuh to handle? Another question... This project is a security based project. Users will have access to their UML, and from there they should be able to run applications like nmap, hping, nessus against an internal target network. Can UML handle applications such as nmap or will there be problems? Just wanted to ask before I dive into UML. Thanks! Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing |
From: Sgt B <sgt...@ya...> - 2003-12-16 17:24:23
|
Hi Roland! Thanks for the outstanding reply. The project in question requires users to have their own uml. Great suggestion regarding COWs! The buggest issue for us was creating and maintaining the umls. From your reply, it sounds like this won't be a major issue for us. The biggest problem will be network load though. It could be minimized by created a seperate nessusd host that the umls could connect to, but that might hurt us when it comes to logging. Either way, great suggestion, and it will be something to look into. I'll read up on the uml-bridging how-to as well. Again, thanks for the great information! sgt_b roland <for...@gm...> wrote: Hi sergeant :) >Is it feasible to use UML for this scenario, assuming the host machine is pwerful enough. running 50 uml`s at the same time on a single FAT host should _basically_ be possible, but not recommended. it absolutely depends of WHAT the users need todo INSIDE an uml. it`s really a matter of load, these 50 concurrent users will produce. so at least you need to estimate, what "average" and "maximum" load a user will generate, and test, how the system behaves in such situations. letting 50 users run hping,nmap and nessus on the same machine at the same time should generate a huge amount of load, IMHO - and this especially if inside an UML, because we have the "syscall-overhead". why not splitting things up? AFAIK, hping,nmap and nessus are basically usable on a "per user" basis from within a single OS. if you need to give the users root privileges, you could easily wrap those commands with "sudo" or make them suid - so, do you really need separate OS`s for every single user? why not giving them just an account and let them run a defined set of applications, configured for them individually? as a rule of thumb: what you can "multi instanciate" on a single box, you won`t need to run isolated inside separate ones. i think, you even should be able to run nessus on a per-user basis on a single box. at least there are configuration options for nessus, which give me that impression. from the nessusd manpage: nessusd [-v] [-h] [-c config-file] [-a address ] [-p port-number] [-D] [-d] -c , --config-file= Use the alternate configuration file instead of @NESSUSD_CONFDIR@/nessus/nessusd.conf -p , --port= Tell the server to listen on connection on the port rather than listening on port 1241 (default). sure - here you need to do lots of configuration and testing, too.(i`m not sure - but you probably run into problems with the TCP/IP stack on a single system when doing agressive portscanning from within 50 useraccounts) plese see this just as an idea and a suggestion - i don`t know the very details of your scenario and perhaps there IS a real need for UML or similar, though. >Is there any easy way to create UMLs for new users? sure there is. you just need a read-only root-filesystem and can use the copy-on-write feature. so you can clone UML`s somewhat "on the fly". >Can the creation of a UML be automated? sure. shouldn`t be too hard, too. one recommended example to configure an uml from the "outside" is on the uml website. see: http://user-mode-linux.sourceforge.net/config.html >Would the maintenance of that many UMLs be too mcuh to handle? that depends on WHAT you need to maintain. if they just all need to be identical (and only differ in hostname/ip) that should be quite easy >Users will have access to their UML, and from there they should be able to run applications >like nmap, hping, nessus against an internal target network. Can UML handle applications such >as nmap or will there be problems? i think this should work. watch out for the uml-bridging howto for uml network configuration. if you setup the uml`s network in bridged mode, you shouldn`t run into problems with the hosts tcp/ip stack, because the host`s stack isn`t related to the uml`s at all and all he does is forwarding ethernet packets. regards roland --------------------------------- Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard |
From: roland <for...@gm...> - 2003-12-16 19:42:45
|
happy that i could help you :) feel free to ask, if you have any problems. perhaps, you could let us know, how things goin` and how it works for you? >The biggest problem will be network load though. could you explain that more in detail? i`m not sure, but will nmap,hping and nessus create that much traffic - or maybe there are other apps that will? regards roland ----- Original Message ----- From: Sgt B To: roland ; use...@li... Sent: Tuesday, December 16, 2003 6:24 PM Subject: Re: [uml-user] Possible UML project undertaking. Have some questions. Hi Roland! Thanks for the outstanding reply. The project in question requires users to have their own uml. Great suggestion regarding COWs! The buggest issue for us was creating and maintaining the umls. From your reply, it sounds like this won't be a major issue for us. The biggest problem will be network load though. It could be minimized by created a seperate nessusd host that the umls could connect to, but that might hurt us when it comes to logging. Either way, great suggestion, and it will be something to look into. I'll read up on the uml-bridging how-to as well. Again, thanks for the great information! sgt_b roland <for...@gm...> wrote: Hi sergeant :) >Is it feasible to use UML for this scenario, assuming the host machine is pwerful enough. running 50 uml`s at the same time on a single FAT host should _basically_ be possible, but not recommended. it absolutely depends of WHAT the users need todo INSIDE an uml. it`s really a matter of load, these 50 concurrent users will produce. so at least you need to estimate, what "average" and "maximum" load a user will generate, and test, how the system behaves in such situations. letting 50 users run hping,nmap and nessus on the same machine at the same time should generate a huge amount of load, IMHO - and this especially if inside an UML, because we have the "syscall-overhead". why not splitting things up? AFAIK, hping,nmap and nessus are basically usable on a "per user" basis from within a single OS. if you need to give the users root privileges, you could easily wrap those commands with "sudo" or make them suid - so, do you really need separate OS`s for every single user? why not giving them just an account and let them run a defined set of applications, configured for them individually? as a rule of thumb: what you can "multi instanciate" on a single box, you won`t need to run isolated inside separate ones. i think, you even should be able to run nessus on a per-user basis on a single box. at least there are configuration options for nessus, which give me that impression. from the nessusd manpage: nessusd [-v] [-h] [-c config-file] [-a address ] [-p port-number] [-D] [-d] -c , --config-file= Use the alternate configuration file instead of @NESSUSD_CONFDIR@/nessus/nessusd.conf -p , --port= Tell the server to listen on connection on the port rather than listening on port 1241 (default). sure - here you need to do lots of configuration and testing, too.(i`m not sure - but you probably run into problems with the TCP/IP stack on a single system when doing agressive portscanning from within 50 useraccounts) plese see this just as an idea and a suggestion - i don`t know the very details of your scenario and perhaps there IS a real need for UML or similar, though. >Is there any easy way to create UMLs for new users? sure there is. you just need a read-only root-filesystem and can use the copy-on-write feature. so you can clone UML`s somewhat "on the fly". >Can the creation of a UML be automated? sure. shouldn`t be too hard, too. one recommended example to configure an uml from the "outside" is on the uml website. see: http://user-mode-linux.sourceforge.net/config.html >Would the maintenance of that many UMLs be too mcuh to handle? that depends on WHAT you need to maintain. if they just all need to be identical (and only differ in hostname/ip) that should be quite easy >Users will have access to their UML, and from there they should be able to run applications >like nmap, hping, nessus against an internal target network. Can UML handle applications such >as nmap or will there be problems? i think this should work. watch out for the uml-bridging howto for uml network configuration. if you setup the uml`s network in bridged mode, you shouldn`t run into problems with the hosts tcp/ip stack, because the host`s stack isn`t related to the uml`s at all and all he does is forwarding ethernet packets. regards roland Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard |
From: Szalai F. <sz...@ei...> - 2003-12-16 17:17:38
|
On Tue, 2003-12-16 at 16:47, Sgt B wrote: > We're planning on setting up UML for an upcoming project. We're going > to need approximately 250-300 seperate UMLs. Each user will have > access to his/her own UML. We're expecting about 50 users online at > any given time. Is it feasible to use UML for this scenario, assuming > the host machine is pwerful enough. > Is there any easy way to create UMLs for new users? Can the creation > of a UML be automated? Would the maintenance of that many UMLs be too > mcuh to handle? It is depends on (as always :) what do you want exactly. If you like create the UML box on the fly (eg, when the user request it) then a simple service which start and stop UML boxes is required. I guess you can reduce the maintaince of UML root fs if you use some diskless technique. > Another question... > This project is a security based project. Users will have access to > their UML, and from there they should be able to run applications like > nmap, hping, nessus against an internal target network. Can UML handle > applications such as nmap or will there be problems? I haven't any problem with these applications in my UML box. -- Regards, Feri |
From: roland <for...@gm...> - 2003-12-16 17:33:57
|
>If you like > create the UML box on the fly (eg, when the user request it) then a > simple service which start and stop UML boxes is required. there is a project already adressing this issue: http://uml.openconsultancy.com/umld/ unfortunately, there seems to be very few documentation. i didn`t try it yet - but perhaps others have and like to share their experience. regards roland ----- Original Message ----- From: "Szalai Ferenc" <sz...@ei...> To: <use...@li...> Sent: Tuesday, December 16, 2003 6:17 PM Subject: Re: [uml-user] Possible UML project undertaking. Have somequestions. > On Tue, 2003-12-16 at 16:47, Sgt B wrote: > > We're planning on setting up UML for an upcoming project. We're going > > to need approximately 250-300 seperate UMLs. Each user will have > > access to his/her own UML. We're expecting about 50 users online at > > any given time. Is it feasible to use UML for this scenario, assuming > > the host machine is pwerful enough. > > Is there any easy way to create UMLs for new users? Can the creation > > of a UML be automated? Would the maintenance of that many UMLs be too > > mcuh to handle? > > It is depends on (as always :) what do you want exactly. If you like > create the UML box on the fly (eg, when the user request it) then a > simple service which start and stop UML boxes is required. > > I guess you can reduce the maintaince of UML root fs if you use some > diskless technique. > > > Another question... > > This project is a security based project. Users will have access to > > their UML, and from there they should be able to run applications like > > nmap, hping, nessus against an internal target network. Can UML handle > > applications such as nmap or will there be problems? > > I haven't any problem with these applications in my UML box. > > -- > Regards, > Feri > > > > ------------------------------------------------------- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > _______________________________________________ > User-mode-linux-user mailing list > Use...@li... > https://lists.sourceforge.net/lists/listinfo/user-mode-linux-user > |
From: Marc S. <mslists@LF.net> - 2003-12-17 18:57:05
|
Hi ! On Tue, Dec 16, 2003 at 07:47:58AM -0800, Sgt B wrote: Would the maintenance of that many UMLs be too We (three students) are currently developing a maintainance-solution for uml-systems as a study-project :-) This project - called "uml-manager" addresses: - creation of uml-systems (especially the creation of many testhosts and their network-connections in one step - for simluation of real network setups) - daemon written in Perl - maintainance-shell (for booting, shutdown, setup,...) - configuration-files (for each uml-system, and the the daemon) - management of different network-environments (tupap, broadcast, uml-switch) - screen-based maintainance-shells - COW-support - english documentation - ... The project also focuses also the need if ISPs. Currently we did a lot of design - we will start in the next weeks with the development. If someone is interested, or if someone have suggestions - please let me know. A daily snapshot will be available soon. The results of this project will be under GPL-licence, and distributed as debian-packets. (also as tgz :-)) Best regards Marc Schoechlin -- Gruss / Best regards | LF.net GmbH | fon +49 711 90074-413 Marc Schoechlin | Ruppmannstr. 27 | fax +49 711 90074-33 ms@LF.net | D-70565 Stuttgart | http://www.lf.net |
From: roland <for...@gm...> - 2003-12-17 21:11:07
|
great! are the specs already available somewhere? regards roland ----- Original Message ----- From: "Marc Schoechlin" <mslists@LF.net> To: "Sgt B" <sgt...@ya...> Cc: <use...@li...> Sent: Wednesday, December 17, 2003 7:53 PM Subject: Re: [uml-user] Possible UML project undertaking. Have some questions. > Hi ! > > On Tue, Dec 16, 2003 at 07:47:58AM -0800, Sgt B wrote: > Would the maintenance of that many UMLs be too > > We (three students) are currently developing a maintainance-solution > for uml-systems as a study-project :-) > > This project - called "uml-manager" addresses: > > - creation of uml-systems > (especially the creation of many testhosts and their network-connections > in one step - for simluation of real network setups) > - daemon written in Perl > - maintainance-shell (for booting, shutdown, setup,...) > - configuration-files > (for each uml-system, and the the daemon) > - management of different network-environments > (tupap, broadcast, uml-switch) > - screen-based maintainance-shells > - COW-support > - english documentation > - ... > > The project also focuses also the need if ISPs. > > Currently we did a lot of design - we will start in the next weeks with the development. > > If someone is interested, or if someone have suggestions - please let me know. > > A daily snapshot will be available soon. > > The results of this project will be under GPL-licence, and > distributed as debian-packets. > (also as tgz :-)) > > Best regards > > Marc Schoechlin > -- > > Gruss / Best regards | LF.net GmbH | fon +49 711 90074-413 > Marc Schoechlin | Ruppmannstr. 27 | fax +49 711 90074-33 > ms@LF.net | D-70565 Stuttgart | http://www.lf.net > > > ------------------------------------------------------- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > _______________________________________________ > User-mode-linux-user mailing list > Use...@li... > https://lists.sourceforge.net/lists/listinfo/user-mode-linux-user > |
From: Marc S. <ms...@li...> - 2003-12-18 06:21:35
|
Hi ! On Wed, Dec 17, 2003 at 10:15:39PM +0100, roland wrote: > great! > > are the specs already available somewhere? Not actually - but i th new year - i will publish them to a website. I will announce the website in this mailinglist. Best regards Marc Schoechlin -- Gruss / Best regards | LF.net GmbH | fon +49 711 90074-413 Marc Schoechlin | Ruppmannstr. 27 | fax +49 711 90074-33 ms@LF.net | D-70565 Stuttgart | http://www.lf.net |
From: <s-...@rh...> - 2003-12-18 04:13:32
|
On Wed, Dec 17, 2003 at 07:53:37PM +0100, Marc Schoechlin wrote: > Hi ! > > On Tue, Dec 16, 2003 at 07:47:58AM -0800, Sgt B wrote: > Would the maintenance of that many UMLs be too > > We (three students) are currently developing a maintainance-solution > for uml-systems as a study-project :-) > > This project - called "uml-manager" addresses: Funny you should mention it... I have been working on a program called 'umlmgr'. It is mostly working but not yet finished, which is why I haven't announced it yet. I put up a web page and threw together a release (bug reports welcomed ;)): http://www.rhythm.cx/~steve/devel/umlmgr/ > - creation of uml-systems > (especially the creation of many testhosts and their network-connections > in one step - for simluation of real network setups) > - daemon written in Perl > - maintainance-shell (for booting, shutdown, setup,...) > - configuration-files > (for each uml-system, and the the daemon) > - management of different network-environments > (tupap, broadcast, uml-switch) > - screen-based maintainance-shells > - COW-support > - english documentation > - ... It looks like your focus is different. In fact, I would be interested in making my program talk to your daemon and control umls through it (in addition to talking directly to mconsole sockets as it does now). I have been wanting to do this for Dave Coulson's umld but I haven't gotten around to it yet. > If someone is interested, or if someone have suggestions - please let me know. My only suggestion is documentation for your daemon's protocol :). > A daily snapshot will be available soon. > > The results of this project will be under GPL-licence, and > distributed as debian-packets. > (also as tgz :-)) Great, let us know when it is off the ground. -Steve |
From: Marc S. <ms@LF.net> - 2003-12-18 06:26:41
|
Hi ! On Thu, Dec 18, 2003 at 12:14:43AM -0500, s-...@rh... wrote: > Funny you should mention it... I have been working on a program called > 'umlmgr'. It is mostly working but not yet finished, which is why I haven't > announced it yet. I put up a web page and threw together a release (bug > reports welcomed ;)): :-) We have to think about a other name :-) > http://www.rhythm.cx/~steve/devel/umlmgr/ I browsed that site - seems to be interesting. I will install it on my testbox, and try it out. > > - creation of uml-systems > > (especially the creation of many testhosts and their network-connections > > in one step - for simluation of real network setups) > > - daemon written in Perl > > - maintainance-shell (for booting, shutdown, setup,...) > > - configuration-files > > (for each uml-system, and the the daemon) > > - management of different network-environments > > (tupap, broadcast, uml-switch) > > - screen-based maintainance-shells > > - COW-support > > - english documentation > > - ... > > It looks like your focus is different. In fact, I would be interested in > making my program talk to your daemon and control umls through it (in > addition to talking directly to mconsole sockets as it does now). I have > been wanting to do this for Dave Coulson's umld but I haven't gotten around > to it yet. This would be nice - i will send you detailed informations in some weeks. (If we are almost ready with the daemon) > > > If someone is interested, or if someone have suggestions - please let me know. > > My only suggestion is documentation for your daemon's protocol :). Yeah - this is essentially :-) > > A daily snapshot will be available soon. > > > > The results of this project will be under GPL-licence, and > > distributed as debian-packets. > > (also as tgz :-)) > > Great, let us know when it is off the ground. > Yes :-) Best regards Marc Schoechlin -- Gruss / Best regards | LF.net GmbH | fon +49 711 90074-413 Marc Schoechlin | Ruppmannstr. 27 | fax +49 711 90074-33 ms@LF.net | D-70565 Stuttgart | http://www.lf.net |