[K12OSN] Tuning LTSP Performance

Terrell Prude' Jr. microman at cmosnetworks.com
Fri Aug 29 22:41:28 UTC 2008 

monteslu at cox.net wrote:
> ---- Stephen Crampton <SteveSings at gmail.com> wrote: 
>   
>> I'm using the latest version of Edubuntu.
>>
>> I'm not sure how to check the CPU or network load.  Could someone tell me
>> the most efficient way?
>>     
>
> Edit the default section of lts.conf and add this:
> LDM_DIRECTX = True
>
> reboot your thin clients and you'll see dramatic improvement in performance.
>
> I know it's less secure, but having it defaulted to false is unusable for most hardware.
>
> Luis

You're right, it is somewhat less secure, no question.  However, the 
INFOSEC engineer in me classes this under "acceptable risk".  Here's why.

1.)  What matters most, in most K-12 thin client environments, is that 
the credentials are encrypted.  Remember that most data on MS 
Windows-based networks (e. g. file copies, MS Exchange email, etc.) is 
not encrypted, but the login credentials most certainly are.

2.)  If you're running LTSP of any sort, it's assumed that you're 
running, at a minimum, a switched 10/100 environment (if not, then you 
really should be!).  Unless A.) it's a managed switch capable of port 
mirroring, and B.) you control said switch, you can sniff *your* 
traffic, but not other peoples.  To keep the Les Mikesells of the world 
happy, I'll point out that yes, you could sniff the server if it's 
physically accessible.  But in God's name, I hope you have it secured 
physically so's to (largely) prevent that!

3.)  The data that most K12-based LTSP deployments have to worry about 
isn't mission-critical.  Only if you're dealing with the Student 
Information System (SIS) or something similar does that change.  In this 
latter case, you might want to reconsider the setting of LDM_DIRECTX, 
depending on your environment.

4.)  Even if you're running LTSP to hit your SIS, though, remember that 
this is a switched, wired network.  Wardrivers by definition aren't 
going to be an issue.  Most shops, including mine, who run SASIxp, do so 
on a vanilla 10/100 Cat 5 network.  That's not how we get cracked.  We 
get cracked because teachers and administrators routinely walk away from 
terminals without locking them.  Or worse, they're insane enough 
to--yes--let a "trusted" student do grade entries!  DUH!

For these reasons, I don't see a real-world problem with that setting.

--TP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/k12osn/attachments/20080829/ea059fc1/attachment.htm>

More information about the K12OSN mailing list