#LCA2010 – New Zealand's Bravest Man – Patrick Brennan

Abstract:

Who is the bravest man in New Zealand? I put to you that he is Mark Osborne of Albany in greater Auckland. You see, Mark Osborne is a Deputy Principal at Albany Senior High School (ASHS), a new state school catering for years 11 to 13. ASHS has some very fascinating and unique educational philosophies, but I digress. So why is Mark Osborne the bravest man in New Zealand? Simple. With just two months remaining until the school’s grand opening, Mark came to us and laid out a challenge: to use Open Source Software throughout the school, to place as many services as possible “in the cloud”, oh, and “I would like to use unified credentials across all systems”.

In a market where Microsoft is perceived to be the only (and government funded) choice, this is the story of how a Ministry of Education (MoE) flagship school came to rely almost entirely upon Open Source and Cloud based technologies for all ICT functions.

A variety of Open Source technologies were utilised to meet the school’s requirements. Google Apps and Gmail were used as the schools productivity suite negating the need for any internal email infrastructure. Moodle was used as the schools Learning Management System. Mahara was used to manage student’s learning portfolios. Koha was used as the school’s library management tool. All of these web/cloud based services are hosted externally to the school. Notably, Koha is written in New Zealand, enabling the school to fund the development of additional features that are now available to all. The use of Google SSO, SAML, and LDAPS/TLS enabled authentication for all services, whether internal or external, to be tied back to the school’s LDAP directory. (Mandriva Directory Server was used to manage the contents of the OpenLDAP directory.)

Ubuntu was provisioned on all desktops which, thanks to some exceptional vendor pricing, are extremely high performance machines. Mandriva was provisioned on all server infrastructure. NFSv4 (over 10GbE) was utilised to remote mount home directories from desktops — Kerberised to prevent UID spoofing and ensure file privacy/security. Kernel Virtual Machine (KVM) was utilised to provision most internal servers allowing ongoing host provisioning, whether Linux or Microsoft, without capital expenditure.

NuFW was utilised as the core firewall technology. NuFW extends the functionality of iptables allowing TCP packets to be filtered based on the LDAP group of the originating user (who has already been seamlessly authenticated via PAM). NuFW gives considerably more flexibility to security policies than simple IP/port based filtering. In addition, NuFW allows the monitoring, logging, and accounting of traffic on a per-user basis. Asymmetric routing was used to forward all HTTP/S requests via the MoE recommended/funded filtering company, Watchdog. Performing this function on the existing firewall provided significant capital savings and allowed an increase in filtering speed of one whole order of magnitude.

So is Mark Osborne really the bravest man in New Zealand? He says, with absolute confidence, “I knew it would work all along”. You decide.

Author:

Patrick’s interests are many and varied. He is an OpenBSD enthusiast, he holds a private pilot’s license, and has a wide range of musical skills, including formal vocal training and competence on the tin-whistle! Patrick has previously worked as a volunteer ambulance officer and was involved with the data communications aspect of the America’s Cup Virtual Spectator application.

At work he’s known for his quirky culinary habits (once almost setting the office on fire during a fire-drill — ask him later!), his extensive BSD and pf (packet filter) knowledge, and his structured approach to solution design and implementation.

Patrick is often told he’d make a great teacher, as he explains complex technical concepts with ease and with an obvious passion for both his topic and for sharing knowledge.

source by Patrick Brennan

windows server dhcp vlan