[PLUG] Two machines versus one

[Keith Lofstrom]

The EEE PC Box is coming along - I reloaded it with Scientific
Linux 5.2 ( ~= RHEL5.2 or CentOS5.2 ) and the video is working
much better.  I have a Win2K VMware Player client running with
Dragon Naturally Speaking - I may recompile the host kernel
with some real time tweaks to see if we can get the accuracy up.

This machine will reside in my wife's office, where she will be
using it for dictations to create patient records.  My original
plan was to set up iptables to block all incoming traffic, only
outbound stuff allowed.  Since it is behind a NAT router, the
only threats are likely to be those carried in by firefox, and
zombied windoze machines on the same internal network.  We need
to make sure the patient records are 99.999% secure.  Right now
patient records are on paper, partly because of security risks
of digital records.  We would like to go digital if we can.

But my wife is not a security geek, and we are both concerned
that in the unlikely event of a successful exploit of a 
net-connected Linux machine, it may go unnoticed.  Not
acceptable.  Yes, you can run software that scans for exploits,
but it is better to have an airgap between the secure data 
and the net.  We can set up something where the data and the
net are not connected at the same time, but if the computer 
gets exploited while net connected, it can copy the data 
when it is not.  Very remote chance, but still there.

So we are considering setting up two machines, one connected
to the net, the other not, and select between them with a KVM
switch.  I'm testing that setup in her office right now.  With
this setup, she will be able to browse the web and do email 
and such with net-connected machine A, and use Dragon and do
secure stuff with isolated machine B, and switch between them
with a pushbutton.

There are problems with the printer sharing device I bought
(it turns out to be a stupid button actuated USB switch, and
HAL starts up a configuration dialog each time it is switched,
fooey!) and the two machine setup will need something more
printer-aware than that.  I am also bothered by the power waste
of two machines, and the inaccessability of machine B for
maintenance (right now, I maintain machine A through a VPN
from my home office).

I suppose another way to do this is to make TWO virtual machines
on host A, one that contains a linux guest running firefox, one
that contains the Win2K guest running Dragon (with net connections
turned off).  If the linux guest gets exploited via firefox, it
stays within the guest.  With the underlying host OS simplified
as much as possible, and set up to provide no services to the
local ethernet segment and potential zombies on it, that might
be suitably secure.  BTW, the Atom N270 used by the EEE PC Box
does not have virtualization instructions, so we can't use Xen.

So the question:  What am I missing here?  Are there good ways to
make one machine secure enough to do surfing and outbound vpn for
ssh, while keeping a VMware Windoze guest acceptably isolated?
Or, are there stupidities to avoid if I must use two machines?

Keith

BTW, physical security - the machines are physically connected
to the monitor, drives embedded behind a metal plate, and the
whole pile will be chained to the desk.  I suppose there could
be somebody a block away looking at this screen through a
telescope, but the windows are dirty!  There are paper records
in the hall, and a copy machine, and there are a few keys to the
office in circulation, so this is not defense-grade security. 
But I'm not looking for perfect security, just pretty good.

-- 
Keith Lofstrom          keithl at keithl.com         Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs