Cordoning Off a Secure Area on Dedicated Server
Posted on 2010-01-05
Linux SysAdmin isn't my expertise so I'm hoping to get some pointers here.
I have a dedicated server, reasonably specced, with a dedicated Cisco firewall. It runs CentOS5.2 and is reasonably up to date. It's locked down at the firewall level pretty well.
It runs a bunch of websites based on mostly open source scripts. Whilst it has never been compromised in any way, the fact these scripts are fast-developing but not-so-quickly updated means that in principle, I can't trust this server too much. The websites don't store anything overly critical so in its current shape, if it gets compromised, there is no great risk/loss potential.
But now I am considering adding a more sensitive, more critical java based application which powers a web service. Ideally I'd stick that on a separate server but for budget reasons, I'm exploring the possibility of using the existing server. The data this app will process and store is of the sensitive personally identifiable type. Medical but not credit cards.
The app can be installed the normal way or as a virtual application (VMWare).
The question hence is, is there a way of retroactively reorganising a hard-disk/operating system in such a way that I can effectively create two 'zones'. One that is less secure and one that is airtight?
Virtualization from the ground up would have been nice but I understand this in its own right will add costs and is most likely beyond my skill level. Forgetting OS level virtualization for a moment, is there any strategy to accomplish this?
Can I perhaps partition a section and install the script there in such a way that if any of the less-secure scripts get hacked, the hacker can't reach this special zone?
Or can I run the free VMPlayer and run the virtual app of this software and somehow secure that?
What options do I have to leverage the existing server?