T0PS3O
asked on
Cordoning Off a Secure Area on Dedicated Server
Linux SysAdmin isn't my expertise so I'm hoping to get some pointers here.
I have a dedicated server, reasonably specced, with a dedicated Cisco firewall. It runs CentOS5.2 and is reasonably up to date. It's locked down at the firewall level pretty well.
It runs a bunch of websites based on mostly open source scripts. Whilst it has never been compromised in any way, the fact these scripts are fast-developing but not-so-quickly updated means that in principle, I can't trust this server too much. The websites don't store anything overly critical so in its current shape, if it gets compromised, there is no great risk/loss potential.
But now I am considering adding a more sensitive, more critical java based application which powers a web service. Ideally I'd stick that on a separate server but for budget reasons, I'm exploring the possibility of using the existing server. The data this app will process and store is of the sensitive personally identifiable type. Medical but not credit cards.
The app can be installed the normal way or as a virtual application (VMWare).
The question hence is, is there a way of retroactively reorganising a hard-disk/operating system in such a way that I can effectively create two 'zones'. One that is less secure and one that is airtight?
Virtualization from the ground up would have been nice but I understand this in its own right will add costs and is most likely beyond my skill level. Forgetting OS level virtualization for a moment, is there any strategy to accomplish this?
Can I perhaps partition a section and install the script there in such a way that if any of the less-secure scripts get hacked, the hacker can't reach this special zone?
Or can I run the free VMPlayer and run the virtual app of this software and somehow secure that?
What options do I have to leverage the existing server?
I have a dedicated server, reasonably specced, with a dedicated Cisco firewall. It runs CentOS5.2 and is reasonably up to date. It's locked down at the firewall level pretty well.
It runs a bunch of websites based on mostly open source scripts. Whilst it has never been compromised in any way, the fact these scripts are fast-developing but not-so-quickly updated means that in principle, I can't trust this server too much. The websites don't store anything overly critical so in its current shape, if it gets compromised, there is no great risk/loss potential.
But now I am considering adding a more sensitive, more critical java based application which powers a web service. Ideally I'd stick that on a separate server but for budget reasons, I'm exploring the possibility of using the existing server. The data this app will process and store is of the sensitive personally identifiable type. Medical but not credit cards.
The app can be installed the normal way or as a virtual application (VMWare).
The question hence is, is there a way of retroactively reorganising a hard-disk/operating system in such a way that I can effectively create two 'zones'. One that is less secure and one that is airtight?
Virtualization from the ground up would have been nice but I understand this in its own right will add costs and is most likely beyond my skill level. Forgetting OS level virtualization for a moment, is there any strategy to accomplish this?
Can I perhaps partition a section and install the script there in such a way that if any of the less-secure scripts get hacked, the hacker can't reach this special zone?
Or can I run the free VMPlayer and run the virtual app of this software and somehow secure that?
What options do I have to leverage the existing server?
ASKER
Thanks. I agree, that would be the best way to go about it. But the VMWare licensing is prohibitive in comparison to just getting another secure hosting deal and overhauling the server will take me days of down-time.
I'm now wondering whether just running the VMWare Player inside this server and then run the Virtual App version of the intended application would be more secure than simple installing the non-VA version of the application in and amongst the rest of the scripts. Sort of towering above the rest instead of on the same level.
I'm now wondering whether just running the VMWare Player inside this server and then run the Virtual App version of the intended application would be more secure than simple installing the non-VA version of the application in and amongst the rest of the scripts. Sort of towering above the rest instead of on the same level.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys. As I was hoping for non-VM related answers, it's "only" a B, though that doesn't mean you weren't right or that the answers aren't valuable. I probably asked in a dead-end direction.
Install VMware (or any VM server), build two separate linux systems, copy your current sites into one and your secure sites to the other. Each VM instance is a whole standalone linux server, that you apportion a section of RAM and disk to and build as normal from a CD / DVD. You will the be able to harden one, using things like SElinux, chroot jails, tcpwrappers, PAM increased auditing etc