Storage and backup for desktops and laptops in the enterprise

For desktops it is generally considered a good idea that all user created data is stored on a NAS on which backup and restore is implemented.

For Linux desktops NFS is commonly used. However, NFSv3 is usually not acceptable because in large organisations there is too little control over IP adresses. So NFSv4 with Kerberos authentication is the answer. Large organisations also tend to have large networks, so latency is another factor, and again NFS4 (with the delegation feature) allows better client side caching. There is also FS-Cache/CacheFS that does a lot more caching on clients, but it does not improve performance in all situations (if bandwidth is not an issue don’t use it).

But now laptops. What you would like for laptops is the situation where the users work locally with their data, but whenever they have a network connection the data is synchronised to the enterprise NAS. That way they can disconnect their network at any time and continue working. There is the OFS (offline file system) that works on SMB network file systems, but that seems to be not completely mature yet. A second problem with laptops is authentication. A user may want to log on locally without network, and then connect the laptop to the network and expect it to start sychronising data. But that won’t work unless we first get our Kerberos ticket. I wonder what Windows laptops do in this situation, would they cache the password and re-use in the background to obtain a Kerberos ticket? Related to this: you need a feature sometimes called “cached credentials” to allow you to log on locally if your kerberos/ldap server is not available. There are some projects trying to adress this, but this is also still not well integrated yet.

The chain of trust from developer to end-user

Cyber-crime is rising. Open source software is slowly becoming more mainstream. And thus cyber-criminals will more and more try to target open source software users.

One of the weak paths in software security is the distribution path from developer to the end user. But this is often quite different for open source users compared to proprietary software. There are big advantages, but also some big disadvantages.

The author/maintainer creates a release, and uploads it to the download server. Then………??????? And in the end an end-user is running a binary on his/her system. Notice the ??????! What happens on the download server? There have been examples where open source software was hacked on the download server (for example squirrelmail had a serious issue). And do you trust all of the mirrors? Can you trust the packager? Do you know who the packager is? Do you trust the download server from the packager?

Several Linux distributions do good work already. Debian and Ubuntu sign their distribution lists. So once the user trusts the distribution key, and the process that keeps the key secure, the path from Linux distribution to their own system is quite secure. This is a tremendous advantage compared to the situation on the average windows machine. But is it good enough? The path from authors/maintainers to the Linux distributions is not always signed with keys. Some developers do sign all their release, but are the signatures checked by the distribution packagers?

Sharpen up before the cyber-criminals get to you!