User Tools

Site Tools


doc:deployment-stories:electronic-glovebox

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:deployment-stories:electronic-glovebox [2013/11/20 09:43]
stefanbaur
doc:deployment-stories:electronic-glovebox [2013/11/20 17:48]
stefanbaur
Line 1: Line 1:
-====== X2Go at the Doctor'​s office: The Electronic ​Glovebox ​======+~~SHORTURL~~ 
 +====== X2Go at the Doctor'​s office: The Electronic ​GloveBox ​======
  
 //Shared by Stefan Baur, [[http://​www.baur-itcs.de|BAUR-ITCS UG (Germany)]]//​ //Shared by Stefan Baur, [[http://​www.baur-itcs.de|BAUR-ITCS UG (Germany)]]//​
  
-The Electronic ​Glovebox ​is our implementation of a ''​Re''​mote ''​Co''​ntrolled ''​B''​rowsers ''​S''​ystem, ReCoBS.+The Electronic ​GloveBox ​is our implementation of a __Re__mote __Co__ntrolled __B__rowsers __S__ystem, ReCoBS.
  
-ReCoBS is a security concept designed by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik,​ BSI).+ReCoBS is a security concept designed by the German Federal Office for Information Security ([[https://​www.bsi.bund.de/​EN/​Home/​home_node.html|Bundesamt für Sicherheit in der Informationstechnik]], BSI).
  
-It places a Terminal Server ​(in our case, a Linux box running X2Go) in a demilitarized zone (DMZ) between two Firewalls. This Terminal Server ​may freely surf the net, but it cannot initiate "​downstream"​ connections towards the LAN. From the LAN side, it is possible to connect to the Terminal Server ​(in our case, via SSH), but direct outbound connections to the Internet are blocked by default.+It places a terminal server ​(in our case, a Linux box running X2Go) in a demilitarized zone (DMZ) between two firewalls. This terminal server ​may freely surf the net, but it cannot initiate "​downstream"​ connections towards the LAN. From the LAN side, it is possible to connect ​"​upstream" ​to the terminal server ​(in our case, via X2Go/SSH), but direct outbound connections to the Internet are blocked by default.
  
-Where we're diverting from the standard ReCoBS approach is that we're using a single firewall with a third ethernet port for the DMZ, and we're running both the firewall and the X2Go Terminal Server ​as virtual machines on a stripped down Debian Linux with KVM.+Where we're diverting from the standard ReCoBS approach is that we're using a single firewall with a third ethernet port for the DMZ, and we're running both the firewall and the X2Go terminal server ​as virtual machines on a stripped down Debian Linux with KVM. Also, we're providing a web proxy server with a default deny policy, so that you can whitelist "​safe"​ domains like microsoft and antivirus updates, or online banking portals, and access those using your locally installed browser or online banking software (which makes more sense from a security standpoint, if you think about it).
  
-While the system isn't limited to a particular hardware configuration (we've shipped regular midi-tower cases as well as 19", 1HU rack-mount servers), our standard model is a fanless (i.e. entirely passively cooled), very compact case with enough CPU and RAM for up to 5 concurrent users.+While the system isn't limited to a particular hardware configuration (we've shipped regular midi-tower cases as well as 19", 1HU rack-mount servers), our standard model is a fanless (i.e. entirely passively cooled), very compact case with enough CPU and RAM for up to 5 concurrent users. A picture, showing the box on top of a stack of copy paper for easy size comparison, is available [[http://​www.baur-itcs.de/​20-servermodelle/​10-lexcomputechtwister|here]].
  
 This allows us to offer an affordable solution even for small offices like a general practicioner'​s office. This allows us to offer an affordable solution even for small offices like a general practicioner'​s office.
  
-Obviously, there is a high demand for data protection solutions in the healthcare sector (as probably everyone can understand immediately).+Obviously, there is a high demand for data protection solutions in the healthcare sector (as probably everyone can understand immediately), and this is where we've sold quite a number of Electronic GloveBoxes so far. Of course, it could also be used by lawyers, product designers (think industrial espionage), and similar professions where you just don't want to see your customer records/​confidential data leaked onto the Internet.
  
-For usability reasons, we're using the X2Go Published Applications feature of the X2Go Client ​for providing the applications to the user - in fact, we're the ones who [[doc:​sponsors|sponsored]] the development of said feature.+To provide a seamless user experience, we're using the X2Go Published Applications feature of the X2Go Client - in fact, we're the ones who [[doc:​sponsors|sponsored]] the development of said feature.
  
-What we're publishing is a minimal set of internet applications (browser, mail client, PDF Viewer ​and Open Office), accessible via right-click on the X2Go icon in the taskbar. ​+What we're publishing is a minimal set of internet applications (browser, mail client, PDF viewer ​and OpenOffice/​LibreOffice), accessible via right-click on the X2Go icon in the taskbar. ​
  
-Please visit our website for further information and to view a screencast. The website is in German ​only at the moment, but if you are interested in selling GloveBoxes in your country, feel free to contact us by e-Mail and we'll provide you with English translations of whatever you may need. Also, while the screencast has German on-screen text and no translation yet, it should be rather easy to figure out what it's about, even without ​unerstanding ​the language.+Thanks to the Published Application Mode, these applications interact with the Desktop as if they were installed locally on the machine, there is no annoying full-screen desktop window that you need to drag out of the way to access your local applications,​ like you might know (and hate) it from using VNC or RDP.  
 + 
 +Please visit our website for further information and to view a screencast. The website is only available ​in German at the moment, but if you are interested in selling GloveBoxes in your country, feel free to contact us by e-Mail and we'll provide you with English translations of whatever you may need. Also, while the screencast has German on-screen text and no translation yet, it should be rather easy to figure out what it's about, even without ​understanding ​the language.
  
   * Overview: [[http://​baur-itcs.de/​10-elektronischeglovebox/​]]   * Overview: [[http://​baur-itcs.de/​10-elektronischeglovebox/​]]
   * Screencast: [[http://​baur-itcs.de/​10-elektronischeglovebox/​50-videos/​]]   * Screencast: [[http://​baur-itcs.de/​10-elektronischeglovebox/​50-videos/​]]
   * e-Mail: [[mailto:​kontakt@baur-itcs.de]]   * e-Mail: [[mailto:​kontakt@baur-itcs.de]]
 +
 +----
 +
 +Kudos to [[http://​das-netzwerkteam.de/​|sunweaver]] for jumping in and providing the initial revision of this page. :-)
doc/deployment-stories/electronic-glovebox.txt · Last modified: 2013/11/20 17:48 by stefanbaur