Qubes Usage for enterprise deployment
120 views
Skip to first unread message
BUET Jeremy (SILCA)
Feb 2, 2016, 8:52:25 AM2/2/16
to qubes...@googlegroups.com
Hello everybody,
I am trying to prepare for my company (for internal use only) a pool of
workstations (both laptop and desktop) which match these criteria :
- Secure system
- Environment separation : I need to have at least 3 environment that
connect to 3 networks (through VPNs), and these environments must have
minimum and controllable communication between themselves.
- Centralized management : I need to be able to push update or new
packages to all workstations simply.
- Offline work : I want a user to be able to do some work (although not
everything of course) if for some reason he can't connect to the
company's VPN.
- LDAP authentication : Although the workstations might not be
multi-user (I can manage if my workstations aren't multi-user), I would
like that my user's password is always it's LDAP login password (and
that if it changes its password on its workstation, the LDAP password is
updated as well)
- Limited user rights : I don't want the users to be able to install
themselves software or to configure themselves the network.
I have heard recently of Qubes, and after looking into it, I think I am
able to manage to adapt it to match my first five criteria (although I
would be grateful if you have any help or hint to where to look at for
that). Qubes seems to be a great base to work on for that project.
But I have a problem with that last criteria.
It seems that by design, a QubesOS user will always have administrative
privileges on its workstation. It is a fair choice for the usage QubesOS
seems to be intended for, I am not criticizing it. But is there some
possibility to adapt a QubesOS for less trusting the user, and enforcing
a certain configuration (and set of software) only an administrator, and
not the user, could change ?
Thanks in advance for all your help,
Sincerely,
Jeremy Buet
I am trying to prepare for my company (for internal use only) a pool of
workstations (both laptop and desktop) which match these criteria :
- Secure system
- Environment separation : I need to have at least 3 environment that
connect to 3 networks (through VPNs), and these environments must have
minimum and controllable communication between themselves.
- Centralized management : I need to be able to push update or new
packages to all workstations simply.
- Offline work : I want a user to be able to do some work (although not
everything of course) if for some reason he can't connect to the
company's VPN.
- LDAP authentication : Although the workstations might not be
multi-user (I can manage if my workstations aren't multi-user), I would
like that my user's password is always it's LDAP login password (and
that if it changes its password on its workstation, the LDAP password is
updated as well)
- Limited user rights : I don't want the users to be able to install
themselves software or to configure themselves the network.
I have heard recently of Qubes, and after looking into it, I think I am
able to manage to adapt it to match my first five criteria (although I
would be grateful if you have any help or hint to where to look at for
that). Qubes seems to be a great base to work on for that project.
But I have a problem with that last criteria.
It seems that by design, a QubesOS user will always have administrative
privileges on its workstation. It is a fair choice for the usage QubesOS
seems to be intended for, I am not criticizing it. But is there some
possibility to adapt a QubesOS for less trusting the user, and enforcing
a certain configuration (and set of software) only an administrator, and
not the user, could change ?
Thanks in advance for all your help,
Sincerely,
Jeremy Buet
Ivan
Feb 3, 2016, 2:16:23 AM2/3/16
to qubes...@googlegroups.com
Hi,
On 02/02/2016 03:26 PM, BUET Jeremy (SILCA) wrote:
> Hello everybody,
>
> I am trying to prepare for my company (for internal use only) a pool of
> workstations (both laptop and desktop) which match these criteria :
> - Secure system
> - Environment separation : I need to have at least 3 environment that
> connect to 3 networks (through VPNs), and these environments must have
> minimum and controllable communication between themselves.
> - Centralized management : I need to be able to push update or new
> packages to all workstations simply.
> - Offline work : I want a user to be able to do some work (although not
> everything of course) if for some reason he can't connect to the
> company's VPN.
> - LDAP authentication : Although the workstations might not be
> multi-user (I can manage if my workstations aren't multi-user), I would
> like that my user's password is always it's LDAP login password (and
> that if it changes its password on its workstation, the LDAP password is
> updated as well)
dom0 doesn't have network access so I don't see how you can use LDAP. If
you really need centralized management, one way I'm thinking of is to
use the update mechanism, which is pretty well tested:
- set a local yum repo in dom0
- on password change automatically create a rpm with the required files
for whatever PAM auth you'll use in dom0
- regularly update dom0 with your company's yum/dnf repo.
That opens another set of problems though:
- your local repo and the way you create the rpm updates has to be
really secure
- while dom0 is relatively secure maybe you don't want that all your
company's passwords to be on each laptop. There's a way to solve that
too, but that'd mean you manually configure a laptop for (a) given user(s).
> - Limited user rights : I don't want the users to be able to install
> themselves software or to configure themselves the network.
>
> I have heard recently of Qubes, and after looking into it, I think I am
> able to manage to adapt it to match my first five criteria (although I
> would be grateful if you have any help or hint to where to look at for
> that). Qubes seems to be a great base to work on for that project.
> But I have a problem with that last criteria.
>
> It seems that by design, a QubesOS user will always have administrative
> privileges on its workstation. It is a fair choice for the usage QubesOS
> seems to be intended for, I am not criticizing it. But is there some
> possibility to adapt a QubesOS for less trusting the user, and enforcing
> a certain configuration (and set of software) only an administrator, and
> not the user, could change ?
The following link should help:
https://www.qubes-os.org/doc/vm-sudo/
IMO that's OK if you only want to prevent your users from tinkering with
your laptops so that you don't loose time fixing them, but it won't help
if you want to prevent users from installing forbidden stuff in your
corporate network, since they have full privileges to configure/use VMs
and can install whatever they want in those VMs.
On 02/02/2016 03:26 PM, BUET Jeremy (SILCA) wrote:
> Hello everybody,
>
> I am trying to prepare for my company (for internal use only) a pool of
> workstations (both laptop and desktop) which match these criteria :
> - Secure system
> - Environment separation : I need to have at least 3 environment that
> connect to 3 networks (through VPNs), and these environments must have
> minimum and controllable communication between themselves.
> - Centralized management : I need to be able to push update or new
> packages to all workstations simply.
> - Offline work : I want a user to be able to do some work (although not
> everything of course) if for some reason he can't connect to the
> company's VPN.
> - LDAP authentication : Although the workstations might not be
> multi-user (I can manage if my workstations aren't multi-user), I would
> like that my user's password is always it's LDAP login password (and
> that if it changes its password on its workstation, the LDAP password is
> updated as well)
you really need centralized management, one way I'm thinking of is to
use the update mechanism, which is pretty well tested:
- set a local yum repo in dom0
- on password change automatically create a rpm with the required files
for whatever PAM auth you'll use in dom0
- regularly update dom0 with your company's yum/dnf repo.
That opens another set of problems though:
- your local repo and the way you create the rpm updates has to be
really secure
- while dom0 is relatively secure maybe you don't want that all your
company's passwords to be on each laptop. There's a way to solve that
too, but that'd mean you manually configure a laptop for (a) given user(s).
> - Limited user rights : I don't want the users to be able to install
> themselves software or to configure themselves the network.
>
> I have heard recently of Qubes, and after looking into it, I think I am
> able to manage to adapt it to match my first five criteria (although I
> would be grateful if you have any help or hint to where to look at for
> that). Qubes seems to be a great base to work on for that project.
> But I have a problem with that last criteria.
>
> It seems that by design, a QubesOS user will always have administrative
> privileges on its workstation. It is a fair choice for the usage QubesOS
> seems to be intended for, I am not criticizing it. But is there some
> possibility to adapt a QubesOS for less trusting the user, and enforcing
> a certain configuration (and set of software) only an administrator, and
> not the user, could change ?
https://www.qubes-os.org/doc/vm-sudo/
IMO that's OK if you only want to prevent your users from tinkering with
your laptops so that you don't loose time fixing them, but it won't help
if you want to prevent users from installing forbidden stuff in your
corporate network, since they have full privileges to configure/use VMs
and can install whatever they want in those VMs.
BUET Jeremy (SILCA)
Feb 3, 2016, 5:03:22 AM2/3/16
to qubes...@googlegroups.com
Hi again,
Thank you for your warning Outback Dingo, this might be a problem, but I
am a bit optimistic and I think my users will be (in my case) clever
enough to use the system without too much problems.
I will keep you updated if I end up using Qubes as a start and getting
somewhere interesting.
To be honest, I thought something like that : checking regularly for a
change in the user's LDAP password to get it and store it (and only this
user's password) on the computer, which allows for an offline use
without exposing the other users' password. Thanks a lot though for your
suggestion of implementation.
for users to install whatever they want (although no protection for
portable executables is set on our windows workstations) and
furthermore, my department has a lot of security constraints, and I
really need to enforce a reasonable enough security on my department's
networks, so I can't allow for my users to tinker with my network.
To sum up, if some users use new software by installing them in their
home (in each VM) and using them from their home, I wouldn't be very
happy but I could live with it, but I must keep them from doing anything
strange on my network, and to install or even execute software as root
on the VMs (this last point is stupid, I know, given a user might just
compile and execute it in its home , but I must comply with it for
policy reasons).
Sincerely,
Jeremy Buet
PS : just on a side note, I am more of a gentoo-user, and not too fond
of systemd. I didn't check at all yet (I will do in the future though),
and am just asking out of curiosity (I can adapt to fedora & systemd
based system), but has anyone yet tried to use gentoo-based or even just
systemd-less templateVM ?
Thank you for your warning Outback Dingo, this might be a problem, but I
am a bit optimistic and I think my users will be (in my case) clever
enough to use the system without too much problems.
I will keep you updated if I end up using Qubes as a start and getting
somewhere interesting.
change in the user's LDAP password to get it and store it (and only this
user's password) on the computer, which allows for an offline use
without exposing the other users' password. Thanks a lot though for your
suggestion of implementation.
>
>> - Limited user rights : I don't want the users to be able to install
>> themselves software or to configure themselves the network.
>>
>> I have heard recently of Qubes, and after looking into it, I think I am
>> able to manage to adapt it to match my first five criteria (although I
>> would be grateful if you have any help or hint to where to look at for
>> that). Qubes seems to be a great base to work on for that project.
>> But I have a problem with that last criteria.
>>
>> It seems that by design, a QubesOS user will always have administrative
>> privileges on its workstation. It is a fair choice for the usage QubesOS
>> seems to be intended for, I am not criticizing it. But is there some
>> possibility to adapt a QubesOS for less trusting the user, and enforcing
>> a certain configuration (and set of software) only an administrator, and
>> not the user, could change ?
>
> The following link should help:
>
> https://www.qubes-os.org/doc/vm-sudo/
>
> IMO that's OK if you only want to prevent your users from tinkering
> with your laptops so that you don't loose time fixing them, but it
> won't help if you want to prevent users from installing forbidden
> stuff in your corporate network, since they have full privileges to
> configure/use VMs and can install whatever they want in those VMs.
>
That is my concern. My company has a security policy that doesn't allow
>> - Limited user rights : I don't want the users to be able to install
>> themselves software or to configure themselves the network.
>>
>> I have heard recently of Qubes, and after looking into it, I think I am
>> able to manage to adapt it to match my first five criteria (although I
>> would be grateful if you have any help or hint to where to look at for
>> that). Qubes seems to be a great base to work on for that project.
>> But I have a problem with that last criteria.
>>
>> It seems that by design, a QubesOS user will always have administrative
>> privileges on its workstation. It is a fair choice for the usage QubesOS
>> seems to be intended for, I am not criticizing it. But is there some
>> possibility to adapt a QubesOS for less trusting the user, and enforcing
>> a certain configuration (and set of software) only an administrator, and
>> not the user, could change ?
>
> The following link should help:
>
> https://www.qubes-os.org/doc/vm-sudo/
>
> IMO that's OK if you only want to prevent your users from tinkering
> with your laptops so that you don't loose time fixing them, but it
> won't help if you want to prevent users from installing forbidden
> stuff in your corporate network, since they have full privileges to
> configure/use VMs and can install whatever they want in those VMs.
>
for users to install whatever they want (although no protection for
portable executables is set on our windows workstations) and
furthermore, my department has a lot of security constraints, and I
really need to enforce a reasonable enough security on my department's
networks, so I can't allow for my users to tinker with my network.
To sum up, if some users use new software by installing them in their
home (in each VM) and using them from their home, I wouldn't be very
happy but I could live with it, but I must keep them from doing anything
strange on my network, and to install or even execute software as root
on the VMs (this last point is stupid, I know, given a user might just
compile and execute it in its home , but I must comply with it for
policy reasons).
Sincerely,
Jeremy Buet
PS : just on a side note, I am more of a gentoo-user, and not too fond
of systemd. I didn't check at all yet (I will do in the future though),
and am just asking out of curiosity (I can adapt to fedora & systemd
based system), but has anyone yet tried to use gentoo-based or even just
systemd-less templateVM ?
Reply all
Reply to author
Forward
0 new messages