advice on security with external email and web server?
I have to admit having worked with debian-edu on a test system for about 2 months, I really love it!
As I begin to expand the test system into what will finally be duplicated into a small high school I would appreciate suggestions / advice on a few things:
Currently network setup is simply Tjener with one ethernet port attached to switch; Thin clients, workstations, network printer and wireless N ap also attached to switch. Switch goes to router. Router also has wireless G and phone adapter.
Router connects external port 443 to port 22 for SSH access.
Also, considering enabling DMZ on router for a thincomputer running SNORT on the external network for intrusion detection.
Needs: Public web server, external email and running programs over vpn or other secure link, off-site web access to email and files and of course security!
1. Use Tjener as public webserver, add various webb apps and features as needed and deal with configuration and security issues that multiply as the number of web apps increase.
2. Use a separate thin computer as a tthpd webserver (adding a second hub outside the firewall) and moving the SNORT ids outside with the webserver.
3. Use KVM on Tjener to set up a public webserver (using second nic in Tjener instead of bridging?). Use managed virtual server such as Amahi to add additional web features.
4. Change skolelinux kernel to Proxmox kernel and OpenVZ and various Proxmox appliances to add functionality.
I guess my questions come down to:
1. Security recommendations? Does adding virtualization to skolelinux add to security?
I realize this is a big question; Any experience or recommendations appreciated.