Designing An Old-Style Linux Network
Everything starts from a proper design.
If you’re smart, you know the solution is 100 percent pure Linux. All the internal network from the routers down to the Web servers is 100 mbit/sec (Fast Ethernet). From the Web servers to the Network Appliance file servers the wires run a cool 1000mbit/sec (Gigabit). The first time the gamblers hit a Linux machine is when the TCP/IP packets arrive at the firewall.
This computer is a Compaq Alpha workstation with 256 MBs of RAM and it runs SuSE’s 7.0 distribution. This being the only non-Intel machine in the solution, one might wonder why. The reason is security. Most buffer-overflow exploits on Linux are pre-compiled for the Intel x86 architecture. Running a platform not able to execute them will statistically diminish the attacks by script kiddies. One more reason is that this is the only non-redundant point in the whole network, and Compaq’s Alpha machines are just more reliable than other x86-based PCs.
The firewalling itself is IPCHAINS-based. Basically, the only thing allowed to come into the network is an http’d packet addressed to port 80, everything is discarded. In the outgoing direction, only packets back from the Web servers are allowed. The rule set for this is very easy to configure and the security is no less than any of the expensive commercial firewall products.
Here are descriptive pages for users not able to enter the restricted Web area.
This Web server is actually a cluster of two Web servers running Red Hat’s Piranha high-availability cluster.
It does this is by running a watchdog daemon every few seconds to make sure the other Web server is alive. If it isn’t, the virtual IP address of that machine is switched to the local machine and packets arrive there henceforth. The two machines are Netfinity 4000R rack-mounted ultra-thin PCs, each with 1 GB of RAM and Apache 1.3.14. The Linux running on these machines is Moshe’s special edition, consisting of kernel 2.4.0-pretest7, the logical volume manager, reiserfs (a journaling file system for Linux), and all unnecessary daemons and programs are removed. I opted to implement a pre-release kernel for a good reason.
The 2.4.0 Linux kernels have a built-in kernel-based Web server. Tests have shown that over 80 percent of the time needed for serving a traditional static Web page is due to the heavy switching from kernel-space to the Apache user-space. The kHTTPd kernel-based Web server executes purely in the kernel, and does away with all the switching. For cgis, the Apache server with modperl for Perl processing is still being used.
The result is an extremely skinny OS and Web server environment, leaving all the RAM for the buffering of the Web pages. Said pages are actually never read from disk. I attach a RAM disk of 100 MBs at boot and copy all the Web pages and cgis to that disk. Apache will reads data from this RAM disk, further reducing time-intensive I/O. The Apache logs are written to a second 50-MB RAM disk and a regularly running script copies the log to disk asynchronously and flush the RAM disk content. The result is a Web server cluster able to serve over 2,500 pages per second.
Once users, decide to actually enter the casino and register themselves as authorized users, all further Web pages are served in SSL (Secure Socket Layer) mode.
Categorised as: linux