If you put your important systems in a separate IP address space and use
a firewall for a router between the office space and the secure space,
you can dictate what you let through the firewall on a computer by
computer and application by application basis. Don't let things go from
your office net to your secure net unless you really have to.
If you need to look at logs, have the server on your secure network push
(rsync) those files to an office server regularly. The bandwidth is
free, push it every minute if you want to. If you have things that you
routinely need to send to the server on the secure network, put them on
the office server and have a cron job on the secure server go and ftp
the specific file(s) you want and run a post process script on them if
needs be.
If you need to ssh or vnc into the secure system from the office
systems, only allow those that actually need the access and use a
password token method like SecurID that is used once and changes every
minute. Then if the hacker snoops the keyboard on the office computer,
they only have a minute to make it into your secure system and you've
limited how useful that is to them. Don't use a file sharing mechanism
that can't support strong fencing. I think Samba is easy to implement
and easy to hack.
I guess how much trouble you want to go to depends on how painful it is
if you get hacked. If you are going to tighten security, be sure to give
a lot of thought about how you're going to make it work "easily" for the
people that routinely need access to the systems. If you make it so
arcane and hard to deal with, you're encouraging people within the
organization to work around the security. Then you really have a problem
trying to keep the bad guys out.
Bill Putney - WB6RFW
District 2 Commissioner - Port of Port Townsend
Chief Engineer - KPTZ
El Jefe de Contenido - Port Townsend Film Festival
Private Pilot-Single Engine Land | Airframe & Powerplant Mechanic / Inspection
Authorization
_______________________________________________
Rivendell-dev mailing list
Rivendell-dev@lists.rivendellaudio.org
http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev
