It’s easy enough to configure both a web server software and the firewall to not allow connections to/from the server from anywhere other than pre-approved IP addresses. So your 4 approved people can connect in, and it can connect out to the servers it needs to maintain and update itself
If you want to be more restrictive, you have an air-gapped network and only the devices on that network can get to it. But then you’d need separate machines for people who need access. (But they can be older machines, as they just need to run a web browser). So long as they’re kept isolated, security updates aren’t required. You can always move security updates onto it via CD or even USB stick, but I’d make sure they’re scanned for viruses before hand. (As it’s going to be impossible to keep the virus definitions up to date this way)
Between the two is having a parallel network, and the people with access have two NICs so they’re on both the main network and this identity network. (But you also need to make sure they’re configured so they won’t act as a gateway and bridge the network). You then need one of those machines to run DNS, syslog, and mirror your RPMs, virus definitions, etc
I’d also suggest running the web service at a non-standard higher port that’s not going to be let through any outer firewalls by default.
You can also do other weird tricks— when I worked for an ISP, we had a box that if it saw any traffic it would black hole that address at the router, to stop anyone trying to scan our network. You could do something similar if anyone tried scanning port 80, it triggered some sort of lockdown
You could also use port knocking so the web service didn’t accept connections by default. You’d probably need to put a bookmarklet on the machines that should have access to send the correct pattern of unlock probes
... but I’ve been out of the sysadmin game for 5+ years now, and have only been dealing with ‘low’ sensitivity data for the past 15+. It’s possible that there are better techniques now. (I suspect the medical community would have similar issues)
-Joe
Sent from a mobile device with a crappy on screen keyboard and obnoxious "autocorrect"
> On Jun 10, 2021, at 4:37 PM, Sergio Letuche <[log in to unmask]> wrote:
>
> Greetings
>
> We plan to use a linux server and lamp software to keep persons info that
> we must protect.
> Only 4 people in our library will have access to this server via a web
> based app via a lan.
>
> Which flavour of linux server you would suggest to use?
> The best way to be sure our data is safe would be to keep it without any
> internet connection just to allow it to be reachable from within the local
> network.
> How you suggest we should proceed with having updates to the server
> software but also be sure noone outside our premises could "see" our server?
>
> Thank you for any suggestions
|