Cordoning Off a Secure Area on Dedicated Server

Posted on 2010-01-05
Medium Priority
Last Modified: 2013-11-08
Linux SysAdmin isn't my expertise so I'm hoping to get some pointers here.

I have a dedicated server, reasonably specced, with a dedicated Cisco firewall. It runs CentOS5.2 and is reasonably up to date. It's locked down at the firewall level pretty well.

It runs a bunch of websites based on mostly open source scripts. Whilst it has never been compromised in any way, the fact these scripts are fast-developing but not-so-quickly updated means that in principle, I can't trust this server too much. The websites don't store anything overly critical so in its current shape, if it gets compromised, there is no great risk/loss potential.

But now I am considering adding a more sensitive, more critical java based application which powers a web service. Ideally I'd stick that on a separate server but for budget reasons, I'm exploring the possibility of using the existing server. The data this app will process and store is of the sensitive personally identifiable type. Medical but not credit cards.

The app can be installed the normal way or as a virtual application (VMWare).

The question hence is, is there a way of retroactively reorganising a hard-disk/operating system in such a way that I can effectively create two 'zones'. One that is less secure and one that is airtight?

Virtualization from the ground up would have been nice but I understand this in its own right will add costs and is most likely beyond my skill level. Forgetting OS level virtualization for a moment, is there any strategy to accomplish this?

Can I perhaps partition a section and install the script there in such a way that if any of the less-secure scripts get hacked, the hacker can't reach this special zone?

Or can I run the free VMPlayer and run the virtual app of this software and somehow secure that?

What options do I have to leverage the existing server?
Question by:T0PS3O
  • 2
  • 2
LVL 18

Expert Comment

ID: 26180538
I'd say your best option is to install your websites in separate VMs.
Install VMware (or any VM server), build two separate linux systems, copy your current sites into one and your secure sites to the other.  Each VM instance is a whole standalone linux server, that you apportion a section of RAM and disk to and build as normal from a CD / DVD.  You will the be able to harden one, using things like SElinux, chroot jails, tcpwrappers, PAM increased auditing etc

Author Comment

ID: 26180906
Thanks. I agree, that would be the best way to go about it. But the VMWare licensing is prohibitive in comparison to just getting another secure hosting deal and overhauling the server will take me days of down-time.

I'm now wondering whether just running the VMWare Player inside this server and then run the Virtual App version of the intended application would be more secure than simple installing the non-VA version of the application in and amongst the rest of the scripts. Sort of towering above the rest instead of on the same level.
LVL 18

Accepted Solution

liddler earned 1050 total points
ID: 26180991
ESXi from VMware is free (http://www.vmware.com/products/esxi/) I run plenty of windows/ linux VMs on various linux servers, the only limitation is the amount of RAM (and sometimes bandwidth) in the underlying server

The important thing is to have the risky websites in a VM, not the secure sites.  If the server gets compromised via an unsecured site, the VM sub-server is a risk.  IF a VM sub-server is compromised, it does not mean the parent server, or any other VMs will be compromised.

Assisted Solution

conductance earned 450 total points
ID: 26286467
ESXi is free and good for one server if your want best performance and stability and don't mind rebuilding your server.  If you want to retain some services and the CentOS operating system you can use VMWare Server 2.0 which is also free and will install on top of your existing OS.  See http://www.vmware.com/products/server/ for details.  Just remember that you need to move anything risky into a virtual machine, because if your OS if compromised the VMs could be too.

Author Closing Comment

ID: 31672912
Thanks guys. As I was hoping for non-VM related answers, it's "only" a B, though that doesn't mean you weren't right or that the answers aren't valuable. I probably asked in a dead-end direction.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question