Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: What is "Security" for average joe?

  1. #11
    Join Date
    Nov 2013
    Location
    Nomadic life
    Beans
    590
    Distro
    Ubuntu

    Re: What is "Security" for average joe?

    Quote Originally Posted by SeijiSensei View Post
    For most people not running servers and not running large managed networks, a simple consumer router is sufficient. I manage an Internet gateway for a health-care provider with over 200 employees so we have more substantial security needs. That box runs Linux with the Squid proxy to control outbound web requests. It also scans every inbound object for viruses and malware using SquidClamAV. The box also operates as an email gateway running MailScanner to check each inbound message for viruses and spam. It also examines every outbound message to ensure that people in the agency aren't sending out emails with "patient health information" which violates the US Federal Government's regulations designed to protect the privacy and security of patients' health records. It also runs an iptables firewall and hosts a website that enables patients to make appointments online
    You have one box that runs the proxy, mail filter, network scanner, internet-facing firewall, and it also hosts the external website. I would have tried to separate those functions onto separate machines, or at least put the website behind the firewall on a separate box. I'm curious why you chose your approach. Did you only have budget for one box?


    Are you using Bro for the network scanning piece?
    "Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so." Douglass Adams

  2. #12
    Join Date
    Apr 2014
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: What is "Security" for average joe?

    Usually for average user Linux OS itself is quite safe from Virus, malware and back-doors, for a simple reason that it has lot of well knowledgeable eyeballs checking each and everything, plus with Linux, even an average user like me or you generally has a good sense of maintaining security. So, 99.99% of the time you probably wont need anything other than enabled firewall with default rules.
    Real trouble is given to you by installation of 3rd party stuff, Java, Browser Plug-ins, windows files/programs you handle trough wine, relative security of sites you're inclined to visit or operate and sometimes browser you use itself. Make no mistakes, this are the things which go down first or at least this are the things which compromise your security most.

    As far as your question of what security means to average user? It's entirely dependent on user itself and it's something only he/she can decide upon with respect to his computerized ecosystem. Though, it should be safe to say that the cleaner you're of the things above the more secure you're on Linux.
    Last edited by LastDino; April 26th, 2014 at 06:36 PM.

  3. #13
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    9,041
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: What is "Security" for average joe?

    Quote Originally Posted by bashiergui View Post
    You have one box that runs the proxy, mail filter, network scanner, internet-facing firewall, and it also hosts the external website. I would have tried to separate those functions onto separate machines, or at least put the website behind the firewall on a separate box. I'm curious why you chose your approach. Did you only have budget for one box?

    Are you using Bro for the network scanning piece?
    There's no network scanner, though it does run ntop. It's bound to the inside-facing interface for security.

    Putting the external website behind the machine was possible, but I don't see it as much of a security risk on the box itself. All the "patient health information" is kept on another server behind the firewall and is encrypted with AES256. The gateway box runs a PHP application I wrote that manages patient appointments. I've been writing PHP applications for fifteen years now, and I'm pretty cognizant of security issues with web apps.

    I've tried to get the client to offload the public-facing services to a server in the cloud (I use Linode), but I never seem to get very far with that. There's always the concern about management and cost and just general organizational inertia. I push on this every so often, but I'm just the consultant so there's only so little I can do.

    And, yes, budget was a big part of the decision here. The alternative was something like a Barracuda, but it wouldn't have nearly the flexibility of a Linux gateway and would cost a lot more to boot. I built this on a Dell PowerEdge R410 with dual Xeons and 8 GB of memory; the machine rarely breaks a sweat. We actually bought two of these with the intention of having one as a "hot" spare, or simply dividing the tasks between them. As soon as they were ordered, the second box was commandeered for use as a Windows server. A lot of these decisions had to do with the post-recession Federal stimulus money which would pay for new hardware for medical organizations but not cover any of the costs of consulting and support. (Read: Funnel the monies to companies like GE and leave the health providers with the costs of actually using the hardware they bought.)

    The "firewall" is just a lengthy and complex set of iptables rules. I wrote a custom script to generate them. MailScanner runs two copies of sendmail and uses Perl scripts to scan the messages. We use ClamAV via the clamd daemon. That way the antivirus task can be shared by both the mail scanner and SquidClamAV. Probably the most CPU-intensive activity is scanning mail with Perl-based SpamAssassin which is invoked by MailScanner.

    The only open ports are 25, 80, 443, and a custom port that redirects back to the Exchange server to provide Outlook Web Access. There are no services on port 80; it just redirects traffic to 443 in case people type http:// rather than https:// when trying to connect to the appointments manager.

    Unix servers have traditionally run multiple daemons. I've built machines with some or all of these services for two decades now. Back when I started in the 1990s, the hardware itself was so expensive that deploying multiple machines was cost-prohibitive. Even a decent desktop i386/i486 machine was $2,500. We spent about the same amount on this R410 and got a rocket ship.
    Last edited by SeijiSensei; April 26th, 2014 at 06:43 PM.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •