[PLUG] Two machines versus one

Paul Heinlein heinlein at madboa.com
Mon Jan 26 17:32:20 UTC 2009 

On Sun, 25 Jan 2009, Keith Lofstrom wrote:

> This machine will reside in my wife's office, where she will be 
> using it for dictations to create patient records.  My original plan 
> was to set up iptables to block all incoming traffic, only outbound 
> stuff allowed.  Since it is behind a NAT router, the only threats 
> are likely to be those carried in by firefox, and zombied windoze 
> machines on the same internal network.  We need to make sure the 
> patient records are 99.999% secure.  Right now patient records are 
> on paper, partly because of security risks of digital records.  We 
> would like to go digital if we can.
>
> But my wife is not a security geek, and we are both concerned that 
> in the unlikely event of a successful exploit of a net-connected 
> Linux machine, it may go unnoticed.  Not acceptable.  Yes, you can 
> run software that scans for exploits, but it is better to have an 
> airgap between the secure data and the net.  We can set up something 
> where the data and the net are not connected at the same time, but 
> if the computer gets exploited while net connected, it can copy the 
> data when it is not.  Very remote chance, but still there.
>
> So we are considering setting up two machines, one connected to the 
> net, the other not, and select between them with a KVM switch.  I'm 
> testing that setup in her office right now.  With this setup, she 
> will be able to browse the web and do email and such with 
> net-connected machine A, and use Dragon and do secure stuff with 
> isolated machine B, and switch between them with a pushbutton.

Managing cross-domain connections -- in this case, HIPAA and non-HIPAA 
-- is hard. From personal experience I can tell you that the US 
government has put a LOT of money into researching and developing 
cross-domain solutions, but you'll still see

  * naval ships with several completely separate physical networks,
    even though space is at a premium,

  * intelligence employees with two or more computers on their
    desks, each machine connected to a different network (secure,
    secret, top secret, etc),

  * intelligence workers hand-typing data that has to move from
    one domain to another, since machines on one network cannot
    be allowed to operate on another.

Given the current state of technology, two machines is 
probably the safest bet. It's not the most efficient solution, but 
keeping patient data on machines accessible to a public network 
requires huge shovelfuls of vigilance, time your wife probably doesn't 
have to spare.

> I suppose another way to do this is to make TWO virtual machines on 
> host A, one that contains a linux guest running firefox, one that 
> contains the Win2K guest running Dragon (with net connections turned 
> off).  If the linux guest gets exploited via firefox, it stays 
> within the guest.  With the underlying host OS simplified as much as 
> possible, and set up to provide no services to the local ethernet 
> segment and potential zombies on it, that might be suitably secure. 
> BTW, the Atom N270 used by the EEE PC Box does not have 
> virtualization instructions, so we can't use Xen.

This is a reasonable solution -- but only if performance isn't a key 
concern and you both are comfortable with VM operations. A relatively 
underpowered Atom processor isn't going to make speed demons out of 
your virtual machines, and it can take some time to learning the in's 
and out's of VM administration.

> So the question:  What am I missing here?  Are there good ways to
> make one machine secure enough to do surfing and outbound vpn for
> ssh, while keeping a VMware Windoze guest acceptably isolated?
> Or, are there stupidities to avoid if I must use two machines?

It's a hard problem. The two-machine solution requires more space, 
more power, and has more breakable parts -- but it probably requires 
the least amount of admin time. A solution running VMs is elegant and 
efficient, except when it comes to administration (and perhaps 
processor utilization).

My bias is to use two machines until you and your wife are completely 
comfortable operating, maintaining, and troubleshooting VM issues -- 
though I'm willing to admit the issue is debatable and others may 
reasonably come to the opposite conclusion.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/

More information about the PLUG mailing list