[Security_sig] Draft: DCL Edge / Public Facing Server Profile
ereed at novell.com
Thu Apr 28 14:48:10 PDT 2005
Here's my first take on the description of what I mean by a Edge / Public Facing Server. There are aspects, in this description, of environmental assumptions, security objectives, risk analysis, etc. It's in English, though, or at least tries to be. It's almost a short use case.
Your comments and suggestions are welcome (at least until I see them ;-)
Edge / Public Facing Server
An edge, or public facing server performs many of the network guardian functions to limit methods of attack upon critical business systems. They'll typically be deployed in the data center, and be associated with a Firewall or Demilitarized Zone (DMZ) intended to isolate critical systems from pubic attack. Remote Access servers, modem pools and their associated terminal servers, Virtual Private Network (VPN) servers all fall into this category, as do public facing DNS, SMTP, and HTTP Proxy Portals. It is not unusual for such systems to demand authentication of requests before allowing access to the protected network, either from devices or from users of those devices, and to provide audit recordings, resource usage accounting records, and access control policy enforcement based on the identity (either network address, user name, or other identifying information) associated with the connection.
Because such systems are specifically chartered with providing connection to public, untrusted (and presumably hostile) networks, they must be specifically hardened to avoid presenting "soft targets" for attack, should take steps to detect attacks and repel them or divert them, resist damage to system configurations, administrative settings, programs, scripts, operating system files, consumable resources (CPU, Disk, Network, etc.), and contain whatever damage a broken application or service can do once it breaks. Reasonable denial of service defenses against CPU and memory consumption attacks includes the use of cryptographic protocols that place computational requirements on the attacker before demanding heavy cryptographic processing by the server, which is disadvantaged in possibly having to handle hundreds or thousands of such attacks at once.
Correct configuration and administration is vital to the security of these servers, and to the security of the systems they protect. Changes to configurations need to be tracked and audited, so that unauthorized (or unintended / accidental) changes can be noted, reported, reviewed and, when necessary, reversed. The ability to detect configuration changes and reset them to authorized values may be useful in some circumstances. The ability to notice changes and to trigger event notifications of the change to network management and work-flow management processes is vital.
To meet availability requirements, and to support load balancing across heavily used servers in this category, a range of hardware, network and software load balancing and automated fail-over solutions may be used. Typically, security-sensitive information (account names, security attributes, policies) are not hosted on these machines, but may be cached here during run-time when locality of reference makes such caching helpful. But in those cases, cache consistency with other servers sharing the load being balanced becomes vital, and a significant security concern.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security_sig