[K12OSN] Securing a K12LTSP box

[Bryant Patten <opensource whitenitro com>]

I have been asked by a couple of elementary schools to set up a K12LTSP 
demo.  One server, 4 terminals - so that people at the school can try 
it out.  Simple word processing, some image stuff and Internet access 
are the planned uses.  Sound and thumb drive usability are particularly 
important.

My question for the collective list is:

		After a vanilla, default-accepting install of  K12LTSP (5.0 beta 7 is 
what I am currently exploring) onto a new server box, what should one 
do (if anything) to additionally secure or harden the box?

Do people recommend running something like Tripwire or Bastille?  I 
have done some reading about both of these but haven't yet tried using 
either and I didn't find anything in the LTSP wiki about either 
program.  The wiki does offer the following warning - "Trying to run an 
LTSP service over a public network such as the internet without any 
security precautions is foolhardy in the extreme".  I am beginning to 
teach myself about network security issues but do not yet have a sense 
of 'how much is enough' regarding hooking servers to the Internet.

In this type of situation, I am often not sure about the security set 
up for the school's network.   Phrases such as "...I'm not sure what we 
do about security - Joe set that up and he is gone now..."  or "our 
consultant installed a Sonicwall but I don't anything about it..." are 
often used.  I explain to people that this box will not function as a 
firewall but I would like to make it as secure as functionally possible 
against being taken over by evil doers in this ambiguously secured 
environment.

Bryant Patten
White Nitro, LLC