Cordoning Off a Secure Area on Dedicated Server

Posted on 2010-01-05
Last Modified: 2013-11-08
Linux SysAdmin isn't my expertise so I'm hoping to get some pointers here.

I have a dedicated server, reasonably specced, with a dedicated Cisco firewall. It runs CentOS5.2 and is reasonably up to date. It's locked down at the firewall level pretty well.

It runs a bunch of websites based on mostly open source scripts. Whilst it has never been compromised in any way, the fact these scripts are fast-developing but not-so-quickly updated means that in principle, I can't trust this server too much. The websites don't store anything overly critical so in its current shape, if it gets compromised, there is no great risk/loss potential.

But now I am considering adding a more sensitive, more critical java based application which powers a web service. Ideally I'd stick that on a separate server but for budget reasons, I'm exploring the possibility of using the existing server. The data this app will process and store is of the sensitive personally identifiable type. Medical but not credit cards.

The app can be installed the normal way or as a virtual application (VMWare).

The question hence is, is there a way of retroactively reorganising a hard-disk/operating system in such a way that I can effectively create two 'zones'. One that is less secure and one that is airtight?

Virtualization from the ground up would have been nice but I understand this in its own right will add costs and is most likely beyond my skill level. Forgetting OS level virtualization for a moment, is there any strategy to accomplish this?

Can I perhaps partition a section and install the script there in such a way that if any of the less-secure scripts get hacked, the hacker can't reach this special zone?

Or can I run the free VMPlayer and run the virtual app of this software and somehow secure that?

What options do I have to leverage the existing server?
Question by:T0PS3O
    LVL 18

    Expert Comment

    I'd say your best option is to install your websites in separate VMs.
    Install VMware (or any VM server), build two separate linux systems, copy your current sites into one and your secure sites to the other.  Each VM instance is a whole standalone linux server, that you apportion a section of RAM and disk to and build as normal from a CD / DVD.  You will the be able to harden one, using things like SElinux, chroot jails, tcpwrappers, PAM increased auditing etc
    LVL 1

    Author Comment

    Thanks. I agree, that would be the best way to go about it. But the VMWare licensing is prohibitive in comparison to just getting another secure hosting deal and overhauling the server will take me days of down-time.

    I'm now wondering whether just running the VMWare Player inside this server and then run the Virtual App version of the intended application would be more secure than simple installing the non-VA version of the application in and amongst the rest of the scripts. Sort of towering above the rest instead of on the same level.
    LVL 18

    Accepted Solution

    ESXi from VMware is free ( I run plenty of windows/ linux VMs on various linux servers, the only limitation is the amount of RAM (and sometimes bandwidth) in the underlying server

    The important thing is to have the risky websites in a VM, not the secure sites.  If the server gets compromised via an unsecured site, the VM sub-server is a risk.  IF a VM sub-server is compromised, it does not mean the parent server, or any other VMs will be compromised.
    LVL 2

    Assisted Solution

    ESXi is free and good for one server if your want best performance and stability and don't mind rebuilding your server.  If you want to retain some services and the CentOS operating system you can use VMWare Server 2.0 which is also free and will install on top of your existing OS.  See for details.  Just remember that you need to move anything risky into a virtual machine, because if your OS if compromised the VMs could be too.
    LVL 1

    Author Closing Comment

    Thanks guys. As I was hoping for non-VM related answers, it's "only" a B, though that doesn't mean you weren't right or that the answers aren't valuable. I probably asked in a dead-end direction.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now