LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-24-2017, 12:09 PM   #1
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware
Posts: 1,893

Rep: Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161
Separating business and home work flows


I am looking for links, articles, and experienced opinions related to best practices for separating/segmenting business and personal work flows when using my personal computers.

I need to have remote access to business servers. For example, we use Proxmox, which uses a web browser interface. I need remote access to the network monitor server (nagios).

One option is to use a computer dedicated to business access. Not budget feasible at the moment. Not practical as I do not want to carry two laptops with me.

Perhaps a separate browser profile for business related browser sessions might help. A separate login account might be another idea. Just thinking out loud -- I do not know at this point.

I access the business computers from home with an office desktop and a laptop. The laptop extends the range outside the home.

I accept that security and convenience tend to conflict. Just looking for information and experiential advice.

Thanks.
 
Old 01-25-2017, 02:16 AM   #2
treemouse
Member
 
Registered: Jan 2017
Posts: 30

Rep: Reputation: Disabled
Since that's a pretty broad question, there is probably no definitive answer. I would suggest taking the time to work out exactly what your objectives are in separating the workflows:
  • Security, so that if you have a security incident on your personal computer it won't put your work at risk? If so, what exactly (passwords you type? files you store locally?) are you concerned about keeping secure?
  • Privacy, so that if a colleague looks over your shoulder while you are on your laptop, they won't see an embarrassing URL auto-complete in your browser?
  • Are there specific legal or workplace requirements?
  • etc.

Once you take the time to make a clear list of what you hope to gain from separating your workflows, it might be easier to decide the best way to do it.

Edit: Also, since you don't specifically mention either of these options in your post, I wanted to bring up the possibilities of dual boot, or using a virtual machine. Either will give you a whole separate OS install (and possibly the option to encrypt that OS's partitions, if necessary, so your home-use OS can't access them) if you need more separation than just separate browsers/separate accounts will give you.

Last edited by treemouse; 01-25-2017 at 02:19 AM.
 
1 members found this post helpful.
Old 01-30-2017, 02:42 PM   #3
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware
Posts: 1,893

Original Poster
Rep: Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161
Fair questions. I was not expecting definitive replies as what I decide to do is applicable only to my use case. Mostly I was hoping for others sharing their own experiences.

My primary desire is to protect business systems and data. My primary concern is my mobile laptop, which potentially is easily misplaced or stolen.

I store personal files on my home server, but I do not store personal files on my mobile laptop. I have to VPN into my home network to access personal files. Therefore personal protection is not a significant criterion in this topic.

I have not yet decided on a course of action. Again, I was hoping others would share how they deal with the topic.
 
Old 02-05-2017, 04:24 PM   #4
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-15.0
Posts: 11,048

Rep: Reputation: Disabled
Maybe a silly question: do you use encrypted partitions?

That would help if your laptop is stolen, at least.

Let me know if you need pointers. I have written a small article for users of the Slint distribution. It's in French I will translate it in Englich as soon as I find the time.

There is also LXC, but I have zero experience using that.
 
Old 02-05-2017, 05:09 PM   #5
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,553

Rep: Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946
Quote:
Originally Posted by upnort View Post
Fair questions. I was not expecting definitive replies as what I decide to do is applicable only to my use case. Mostly I was hoping for others sharing their own experiences.

My primary desire is to protect business systems and data. My primary concern is my mobile laptop, which potentially is easily misplaced or stolen.

I store personal files on my home server, but I do not store personal files on my mobile laptop. I have to VPN into my home network to access personal files. Therefore personal protection is not a significant criterion in this topic.

I have not yet decided on a course of action. Again, I was hoping others would share how they deal with the topic.
You said you don't really have a budget at the moment, and only mention one laptop. I'll go with others and ask about your drive being encrypted. If it is, do you have something like Prey installed on it?

Personally, I use Box. Great security, ease of access between multiple devices/platforms. You could attack separation several ways:
  • Nothing but a different user ID on the linux box...one for work, other for personal. Have it mount your home VPN drive via .bashrc when you log in, and mount your work file(s)/server(s) when you log in with THAT ID. Same with Gmail (if you use it). One account for personal/another business..sync bookmarks (Nagios/etc.) that way. Totally separate but on one machine
  • Have a tablet? Android works pretty well for Nagios/web browsing (can't speak for Apple), and a small bluetooth keyboard/mouse are both supported well. Separation can happen there. Tablet for business/laptop for work
  • Online storage, again one for business/one for home. Mount as you see fit.
I use the separate account method personally; when I'm working, I sign into Gmail/Google for Business with my work ID. Has my Docs, bookmarks, Google Drive, etc., all ready for me. Even if I AM home, I can pop open an incognito tab and sign in...and there's my stuff.
 
1 members found this post helpful.
Old 02-06-2017, 06:33 PM   #6
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware
Posts: 1,893

Original Poster
Rep: Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161
Quote:
Maybe a silly question: do you use encrypted partitions?
No, I do not. Never had a need -- until now. Encrypting my /home partition is on my list of options.

Quote:
do you have something like Prey installed on it?
Not installed but I am aware of the software. On my list of things to evaluate. I posed the question to the owner about whether tracking software should be normal policy for mobile devices.

Quote:
There is also LXC, but I have zero experience using that.
I have considered using a VM. A VM can be encrypted too.

Quote:
Nothing but a different user ID on the linux box...one for work, other for personal.
This is where I am leaning at the moment. I had considered a separate browser profile. I think Firefox supports a profile password, but that might be awakening sleeping dogs should anybody but me gain access to the profile manager. A separate login account is less obvious.

I do not use auto-login. I boot to the command line, which will puzzle non technical users.

With the separate login account I likely would use screen locking, perhaps with a short timeout such as 1 minute. I haven't been in the habit of manually invoking screen locking for a few years, but always did so when contracting on previous work sites.

At the moment I tote my laptop only to work when away from home. Small town rural area. Yet I am thinking ahead when I visit family and friends in the big cities. A VPN provides me tunneled encryption, but there is always simple loss or theft to consider when traveling.

I do not use cloud services or any tablets.
 
Old 02-06-2017, 10:36 PM   #7
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 634

Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
I'd either do full disk encryption or just /home and then use a separate login.
Other options (like separate browser) may become too confusing and you may accidentally start intermixing the two.
A separate login is clearly separate and will allow you to customize it as needed.

Also, instead of storing work files on your laptop, storing them on a computer with public ssh access can be a very convenient way to securely store files without using a cloud. A raspberry pi makes this a very accessible option (a setup I personally use currently)
 
1 members found this post helpful.
Old 02-07-2017, 01:20 PM   #8
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware
Posts: 1,893

Original Poster
Rep: Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161
I do not store work files on the laptop. To remotely access work files and servers when outside the work network we use SSH and passwords. I store my work related private SSH key on the laptop. The private key is pass phrase protected.

Work related passwords are not stored on any computer, including the web browser password manager. Passwords are always retyped.

The only thing work related that is discoverable on my computers are web browser bookmarks. Accessing any of those portals requires a password. The bookmarks do not reveal anything that an nmap or nslookup scan would not reveal, but I could delete the bookmarks too.

Now that I wrote that, perhaps I have decent separation already.

But I am human and I realize security often has much to do with ensuring we do not get lazy with our habits.

A separate login account probably remains prudent. Modify the desktop to provide visual reminders that are noticeable only to me, such as background color.

I am undecided about encrypting the entire /home partition. Would be more palatable to only secure the separate login account $HOME directory.

A fascinating topic. Lots to consider.
 
Old 02-07-2017, 01:53 PM   #9
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,610
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
I have several user identities – all non-privileged – which I use "for different hats."

I find it very convenient: preferences are set up just the way I want them for each thing that I am doing. Home directories of one can't be peeked-into by any of the others.

System application maintenance is done by a separate, rarely-used identity which does belong to the wheel group. No one else does.
 
Old 02-07-2017, 02:46 PM   #10
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware
Posts: 1,893

Original Poster
Rep: Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161
Quote:
I have several user identities - all non-privileged - which I use "for different hats."
As do I, although my perspective to this point has been within the confines of my home LAN. All account $HOME directories are inaccessible by one another. One user is a member of the wheel group. Sounds like overkill for a home network, but years ago when I started with Linux I thought that learning basic admin strategies was prudent. That approach paid off with landing the current job.

Even my sole Windows computer, which gets powered on about once per month, is configured with a standard user account to limit damage.

The same principles apply when broadening this approach with work. Just new territory and not surprisingly, a bit tentative about this new area because I do not own the servers or data. I never expected to use my own computers to access work related systems, but this is a small company. I thought best to ask what others are doing.
 
Old 02-07-2017, 06:40 PM   #11
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,610
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
Quote:
Originally Posted by upnort View Post
Even my sole Windows computer, which gets powered on about once per month, is configured with a standard user account to limit damage.
I have never understood why Windows not only makes your account an Administrator by default, but in Home Edition it is quite difficult to do otherwise!

I like to remind clients that: "a computer is terrible at saying 'yes,' but it is extremely good at saying 'no.'"
 
Old 02-10-2017, 12:28 PM   #12
HermanAB
Member
 
Registered: Jun 2016
Location: Al Ain, UAE
Distribution: Slack, Fedora, Ubuntu, OpenBSD
Posts: 38

Rep: Reputation: Disabled
Make separate virtual machines for work and home use?
 
Old 02-10-2017, 07:10 PM   #13
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware
Posts: 1,893

Original Poster
Rep: Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161
Quote:
Make separate virtual machines for work and home use?
Yes, the idea was suggested.

A VM seems to have advantages versus a separate login account. For example, no need to toggle with keyboard shortcuts and wait for the display to stablize after toggling. I could encrypt the VM without encrypting my host system. I could connect to work systems with the VM and my home VPN through the host and keep the two environments isolated from one another. I could minimize the VM to the host desktop with a single click and vice-versa.

I haven't yet decided. Currently I am observing how my usage at work differs from home and taking mental notes. For example, today during some field work I noticed a separate web browser profile, login account, or VM would have sufficed to provide isolation. This is one of those things I will let fester in my mind for a few weeks before deciding.
 
Old 04-08-2017, 07:44 PM   #14
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware
Posts: 1,893

Original Poster
Rep: Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161
Few people like unfinished threads. For anybody interested, I separated work flows by creating a VirtualBox VM. VirtualBox is designed to support encryption, which I am using, and requires a password to launch or restore from a saved state. In the VM desktop I added a screen locker applet to the panel for quickly disabling access.

Having to separately start the VM is a nominal inconvenience compared to just using my normal desktop, but the additional security and encryption is worth the extra mouse clicks.

Thanks everybody for the help.
 
Old 04-11-2017, 09:00 AM   #15
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,610
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
Quote:
Originally Posted by upnort View Post
Few people like unfinished threads. For anybody interested, I separated work flows by creating a VirtualBox VM.
... and you can store the directories used by that VM in a separate, non-privileged user account on the host, setting permissions in such a way that the files cannot be accessed by other users. To start and use the VM, you must be logged-on as that user on the host.

All other settings related to "work" use can be similarly set up. For example, configuring VPN to your workplace so that you must be logged-on as that user in order to open the tunnel. All files and preferences related to "work" are neatly encapsulated – and protected – by that designated user account and its /home.

I always use a different desktop background and screen-saver for each user account so that I can literally "tell at a glance" where I am.

(A friend of mine who also works from his home had a sly sense of humor. When he'd log in to his work account, it played a sound-clip of beeping horns and traffic noises.)

Only one user account is capable of sudo su or its equivalent, and it is never used for any purpose other than system maintenance and software installation.

Last edited by sundialsvcs; 04-11-2017 at 09:02 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: The new trend in mobile security: Separating work and personal stuff LXer Syndicated Linux News 0 03-12-2013 06:20 AM
PCBSD business or home mortal *BSD 8 09-30-2007 12:55 PM
Running a Home-based business firefoxx Linux - Software 2 12-04-2004 08:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration