Changes between Version 9 and Version 10 of doc/TorBOX/BareMetalHints


Ignore:
Timestamp:
Mar 21, 2012, 1:12:14 AM (8 years ago)
Author:
cypherpunks
Comment:

rewrite installation to sync with recent changes elsewhere

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorBOX/BareMetalHints

    v9 v10  
    77When setting up TorBOX in the form of two VMs running on the same host, exploits targeting the VM implementation or the host can still break out of the torified Client VM and expose the IP of a user. Malware running on the host has full control over all VMs. To prevent against such attacks we need a different approach: In this context we call it "bare metal" because the gateway system is directly installed on the hardware ("metal") and not in a VM. This drastically reduces the [https://en.wikipedia.org/wiki/Trusted_computing_base TCB] by more than the half.
    88
     9= Overview =
     10In total we'll be installing and configuring two computers and set up an isolated point to point network between them. One computer acts as the client or "Tor-Workstation", the other as a proxy or "Tor-Gateway" which will transparently route all of the Tor-Workstation's traffic through Tor.
     11
    912= Prerequisites =
    10  * A computer with at least two network adapters, at least one of them ethernet, capable of running Linux. This will be our gateway.
    11  * A client computer connected via ethernet to the gateway. This will be the torified client system or Tor-Workstation.
     13 * A computer with at least two network adapters, at least one of them ethernet, capable of running Linux. This will be our gateway. It will run Ubuntu Server 11.10 Oneiric Ocelot. Theoretically you could use any OS that supports iptables or pf. If you don't want to use Ubuntu Oneiric you will have to edit the shell script. This will be easy for Debian derivatives but much more difficult for *BSD for example. In any case, the choice of OS shouldn't really matter because this system isn't used for anything but running Tor.
     14 * A client computer connected via ethernet to the gateway. It must only have this one NIC and no other network connectivity! This will be the torified client system or Tor-Workstation. [[BR]]
     15   Any OS can be used (but read warning, especially for Windows:[https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxyLeaks Transparent Proxy Leaks].) [[BR]]
     16   We recommend you use a VM as the client, preferably the same [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev/BuildDocumentation#CreateTor-Workstation.ova VM build] as the non-bare metal TorBOX uses. Here's why:
     17  * a generic VM image can neither leak identifying hardware serial numbers nor unique software fingerprints (e.g. trough [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#Softwareupdaters software updates])
     18  * This ensures that you get the latest security features and most secure configurations (such as stream isolation that protects against [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#Identitycorrelationthroughcircuitsharing Identity correlation through circuit sharing] or [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/XChat IRC hardening])
     19   
     20
     21= Time syncing =
     22Please read and apply if necessary [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Download#NetworkTimeSyncing "Network Time Syncing"] on both computers.
    1223
    1324= How To Install =
    14 For the set up follow the [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/HowToInstall Manual Configuration]. Only very few changes are necessary.
    15  * Step 1: you need to apply the time syncing related commands on both the gateway and the client.
    16  * Step 2: Because VMs protect against hardware fingerprinting we still recommend that you use Virtualbox with Tor-Workstation.ova as the client. See [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev/BuildDocumentation TorBOX/Dev/BuildDocumentation]
    17     * Instead of Internal Networking you'll need to use NAT or bridged networking, the latter is easier to configure as you can simply follow the standard networking set up detailed in the manuals (or use our shell scripts).
    18     * If you install the client "bare metal" as well it may be a good idea to use FDE (full disk encryption) and set up a screen saver. If not set them up on the host.
    19  * Step 3:
    20     * If you want to use ssh from the outside you obviously can't use the provided commands (ssh on 127.0.0.1)
    21     * eth0 needs to be configured according to the requirements of your local network, e.g. static or with dhcp if the gateway is connected to a dhcp capable router.
    22     * Before running the script make sure eth1 and eth0 refer to the correct interfaces. Otherwise you have to change each instance of "eth*" in the script ('dmesg | grep eth' may be helpful).
    23     * It may be a good idea to set up FDE during installation
     25On the Client computer configure host and tor-workstation as detailed [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev/BuildDocumentation here] but:
     26 * Instead of setting Adapter 1 to Internal Networking you'll need to use bridged networking!
    2427
    25 Instead of manual configuration, you can also use [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Download#InformationforBareMetalusers binary images] for one or even both systems!
     28For the Tor-Gateway follow these [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev/BuildDocumentation#CreateTor-Gateway.ova instructions] (ignoring VirtualBox sepecific steps) but:
     29 * Only run tor-gateway.sh, NOT tor-gateway-prepare4export.sh! It's not only not necessary, it is only suited for VMs!
     30 * If you want to use ssh from another computer you obviously can't use the provided commands (ssh on 127.0.0.1)
     31 * eth0 needs to be configured according to the requirements of your local network, e.g. static or with dhcp if the gateway is connected to a dhcp capable router.
     32 * Before running the script make sure eth1 and eth0 refer to the correct interfaces. Otherwise you have to change each instance of "eth*" in the script ('dmesg | grep eth' may be helpful).
     33 * It's a good idea to set up FDE during installation
    2634
    2735= Further recommendations =