Musings on IT, data management, whitewater rafting, and backpacking

Wednesday, October 27, 2010

Thin clients on a separate network?

Should we give everyone a thin client on a separate network for accessing sensitive applications?

We constantly struggle with new security requirements from headquarters. These requirements are one size fits all, meaning maximum security based on everyone using sensitive applications for personnel and payments.

And our scientists and technicians tend to use the same computers for research, downloading and installing new research-related software, and managing their project personnel and funds. This mix of sensitive and non-sensitive, need-to-minimize-risk versus need-to-take-more-risk activities on one computer is a security nightmare.

Since many hacks these days involve deeply penetrating computers and monitoring keystrokes, setting up locked-down virtual machines is hardly worth the effort.

So I'm considering setting up thin clients which can RDP into a Windows Server over a separate, locked-down network which has access only to the Server, and the Server has access only to the pre-defined sensitive applications. DoD, NSA, and other high-security outfits have been running separate computers on separate networks for decades.

What's different now is that the cost of thin clients, servers, and separate networks is approaching the lost productivity costs of locking down our research systems and arguing with headquarters.

This article from The Register triggered my thinking.

Time to define some requirements, create some preliminary system designs, and do some market research.

All of this might be moot if Headquarters doesn't allow us to apply different security standards to different sets of systems. Another Layer 8/9 problem.


  1. I can recommend SunRay. You can run the SunRay server software on Linux.

    SunRays are different from thin clients. SunRays are ultra thin - they dont run anything. Everything is executed on the server. The SunRay sends in mouse + keyboard to the server, and the server sends back bitmap pictures to SunRay. SunRay are very similar to a very long cable, from your screen in to the server.

    The SunRays have a BIOS. That is all. (Actually, they have a firmware).

    Normal thin clients typically have 256MB RAM and 1GHz cpu, they are very weak and they use Linux embedded or Windows CE. You must upgrade and patch them. No so SunRay.

    SunRay have no RAM, that means no software is run on them. That means security is very good. They just show bitmaps, no data is stored on them. SunRay can connect over Internet, to a TCP/IP adress. Which means you can have the server in another country and still use the client flawlessly. Or, you could buy a sunray inside a laptop case with screen (Tadpole inc), and use a 3G modem when you travel. If someone steals the SunRay, there are no issues with security as lost hard drives or hacked computers.

    A SunRay consumes 50KB/sek band width. 500msek ping is on the verge of useable, but it works. Sun used 19.000 SunRays, and the servers in different countries.

    It is impossible to upgrade SunRay. They have no RAM nor CPU (that runs software). They are like a long cable. If you need more power, upgrade the server.

    One extremely heavy office user, consumes 700MHz each in artifical stress tests. Get a Quad core and you are a happy man.

    You can get refurbished sunrays on ebay for 40 USD and download the SunRay software from Oracle and try it out on Linux.

  2. Anonymous,

    Wow, SunRay. Hadn't heard anything about those in years, didn't know they were still a viable option.

    I'll take a look. Thanks for the tip.