Thanks. I'll have to look into intrusion detection switches. One thing I didn't describe is how you access the servers for administrative purposes. Both the gateway and workstation would have hidden services for ssh, and the daemons would be listening only on localhost, so the gateway sshd wouldn't accept any connections from the public internet (the workstation of course doesn't face the public internet at all). Further, the HiddenServiceAuthorizeClient option would be turned on and set to stealth, meaning that the admin has to include a "cookie" (basically a password) in his torrc to access the ssh hidden service. If the cookie is not provided, the hidden service appears not to be running, so it's deniable that these ssh hidden services exist at all. Connecting to the gateway and workstation would be a matter of pointing one's ssh client, over Tor, at the right onion domain.