Linux and Security at Salem Hospital: A Case Study
Oregon's capital city of Salem is located midway between Portland and Eugene in the middle of the Willamette Valley. Next to Pringle Creek Park sits the 450-bed Salem Hospital, a not-for-profit acute care facility and the city's largest employer, with 500 physicians and 3,300 total employees.
But just as the banks of Pringle Creek are crowded with larches, mulberries, and Douglas firs, the IS department at Salem Hospital had accumulated a hodgepodge of more than a half-dozen incompatible firewalls from an assortment of vendors and free/open-source projects. The acquisition of each security device seemed cheap at the time, but the end result has been undue complexity and high administrative costs for the staff of five network engineers.
The challenge was to find some kind of perimeter security that held the sutures together and that was simple to manage and capable of locking down a heavily regulated industry environment at little to no cost. It found a solution 5,200 miles away, in Germany.
"Because we are a not-for-profit organization, we have to watch our spending closely", said Carl Wharton, network systems engineer at Salem Hospital. Wharton and his coworkers keep about 175 Compaq, Hewlett Packard and IBM servers humming happily in the data center that sends traffic through 70 Xtreme routers.
With more than 500 volunteers, the number of end users that must be protected against viruses and network intrusions can be as 3,800 people. A T1/Frame Relay cable connects three main campus buildings, five outbuildings and two satellite offices.
Technology from Asita and NetGear, plus freeware from Monowall were put in-line. Red Hat 9 was installed with its Webmin interface. The command-line interface common to the open-source firewall project netfilter/iptables, however, necessitated specialized know-how in an area where only one engineer had expertise.
"We realized that to keep things patched and current was almost a full-time job in itself. We also realized that I was one of the few maintaining all these firewalls, making it tough to take time off", said Wharton. "We needed to find a way to make it easy for our staff to maintain these firewalls."
The IS department then began a search for perimeter security products, preferably ones equipped with Web interfaces to permit easier management. The team evaluated security products by appliance vendors Asita and NetScreen Technologies, the latter since acquired by Juniper Networks. Salem also tested the Shoreline firewall, more commonly known as Shorewall, a tool for configuring the open-source project Netfilter.
Another key concern for Salem Hospital, besides cost and ease of administration, was the hardware question: specifically, whether to go with a firewall appliance. "One thing we wanted was the ability to put the firewall on hardware that would be a standard piece of equipment in our data center", said Wharton. "We use 4- and 6-port NICS on DL360s as standard platforms, we wanted to have backup equipment ready, and we didn't want to keep another appliance on the shelf in the event of failure."
Because Wharton runs Mozilla and Linux on his desktop, he had a hankering for a Linux-based solution that would provide the Web interface he wanted while also meeting his budget constraints. The team went on-line and discovered Astaro Security Linux, a comprehensive perimeter security product that features integrated virus and spam protection, intrusion detection and content filtering, plus a stateful packet inspection firewall and virtual private network (VPN) gateway. Astaro is supplied as software, so Wharton could use his standard hardware of choice.
Astaro Security Linux incorporates 80 open-source projects, including well-established ones such as Netfilter, Squid and Snort. It provides financial backing to the netfilter/iptables project to keep that ball of evolution rolling. The German-founded Astaro company integrates these projects with a proprietary management platform.
It's easy for Astaro to offer its product at lower cost than competitive products. "We bought a 25 IP license for testing and soon got used to the interface and functions, then we went ahead once we were comfortable and purchased an unlimited license", said Wharton.
The next big tasks for Salem were to reduce the number of firewalls and to change over from using a dial-up connection to using Astaro's VPN for connecting securely to suppliers. "We still are in the process of consolidating our seven firewalls", said Wharton. "We had a freebie firewall called Monowall, but Astaro is more enterprise robust. We had some NetGear firewalls too, but we're in the process of going from one firewall to two firewalls with a DMZ in-between."
Wharton has been using Astaro Security Linux for 18 months now. When asked if he had experienced any unforeseen problems, he concluded, "I don't see any bad outcome. I like the way we can maneuver, make comments and name folders the way we like. We can see the benefit of consolidating the firewalls under one type, and because of that, our manageability problem has been taken care of."
|Speed Up Your Web Site with Varnish||Jun 19, 2013|
|Non-Linux FOSS: libnotify, OS X Style||Jun 18, 2013|
|Containers—Not Virtual Machines—Are the Future Cloud||Jun 17, 2013|
|Lock-Free Multi-Producer Multi-Consumer Queue on Ring Buffer||Jun 12, 2013|
|Weechat, Irssi's Little Brother||Jun 11, 2013|
|One Tail Just Isn't Enough||Jun 07, 2013|
- Speed Up Your Web Site with Varnish
- Containers—Not Virtual Machines—Are the Future Cloud
- Lock-Free Multi-Producer Multi-Consumer Queue on Ring Buffer
- Linux Systems Administrator
- Non-Linux FOSS: libnotify, OS X Style
- Senior Perl Developer
- Technical Support Rep
- UX Designer
- Android's Limits
- Reply to comment | Linux Journal
1 hour 1 min ago
- Yeah, user namespaces are
2 hours 17 min ago
- Cari Uang
5 hours 48 min ago
- user namespaces
8 hours 42 min ago
9 hours 8 min ago
- One advantage with VMs
11 hours 36 min ago
- about info
12 hours 10 min ago
12 hours 11 min ago
12 hours 11 min ago
12 hours 14 min ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?