Let's face it. Security is not normally the FIRST thing we consider when purchasing computing equipment. Vendors have one primary goal - get a new product to market first. Even if that means it has vulnerabilities and/or lack of security features built in. This applies to A LOT of hardware and software products out there today. Not all of them. I've been fortunate enough to work with some appliances (firewalls, dns, load balancers, etc.) that come secure or are easy to configure to be secure. Some companies have a visionary on staff who ensures the product is secure out of the box or the features exist to configure the product to be secure with a little effort.
That bring us to today's topic. Securely configuring hardware and software as part of the build process. Yes, it can be done. A few items I'll cover are Basic Input-Output System (BIOS), virtual Disk and Access Control.
BIOS today comes with a few features where you can configure security. Namely, physical security, password protection, logging, etc. You might configure BIOS to take advantage of CPU settings for virtualization. You might modify BIOS settings for hardware adapters. Remember BIOS is often outsourced. Meaning the manufacturer doesn't develop it in-house. Phoenix and AMI are well-known BIOS providers. Some other company develops the code, provides update, etc. In fact, by time you get your new laptop home over 400 different hardware and software vendors have had their hands in it! That opens doors to A LOT of unknowns. Paranoid yet? Read on. The FIRST thing you should do with your new computer is change or set the default BIOS password to something more secure (and one you won't forget). Twelve characters is recommended. Modern BIOS passwords are stored in a 16 bit hash. When you're talking to the salesperson about your new computer ask who the BIOS vendor is and research how strong their password hashing algorithm is. Security is about being diligent with every part of the system. Demand from the BIOS vendor stronger security! Always provide strong physical security too. Especially with mobile devices. Physically security also applies to rack-mounted servers. I've seen computer cabinets with combination locks inside steal cages within a data center. Entrance to the cage is also a combination lock that changes often. The cage may also extend beneath the raised floor to the foundation of the data center and above to the ceiling. Don't get me started about physical security.
Virtual Disk is a hot topic. When configuring a disk volume, logical unit number (LUN) or partition for a file system consider this. Avoid providing the whole disk to a single virtual machine. Virtualization provides security by dedicating areas of memory, CPU and disk to a specific virtual machine. The problem occurs when one (or all) of those resources is dedicated in its entirety. Consider this, an entire disk dedicated to one virtual machine can be compromised via many attack vectors. By vulnerabilities in the drivers to the host bus adapter, the bus itself the disk array and the software managing the disk array. Our concern is not in knowing how the disk can be made vulnerable, just knowing that it can be compromised should be motivation enough to provide better security during configuration. Also, a whole disk is also a single point of failure within a system. Spreading the load among several resources is a good idea.
Access Control is the first area of security you should always consider. Access control won't necessarily protect your system from external threats. Many vulnerabilities today are remote and bypass access control mechanisms. Access control is provided to protect you against internal threats. Yes, that new employee you spent a lot of money on doing a financial and criminal background check on could become your next internal threat. Having sound Administrative Security practices in place is critical. System Administrators are key people assigned to building new servers to host applications. You want to keep them happy as you do all employees. Automation tools like VMware's Auto Deploy makes deploying ESX hosts easy. Server templates, server and storage profiles also make it quick and easy to provision a new host on the network within 15 minutes. Managing who has root or admin access to these hosts is an important step. Use tools like sudo (super user do) or put admins in a group so they can still do their job. It's a good rule of thumb to lock down the root and admin user within an operating system. Root shouldn't have a crontab file for running automated jobs. I know it's convenient but what if the script is replaced with something malicious? Instead give privileges to system administrators and log events. Logging and auditing compliment access control very nicely. Rotate system admins often. It's always a good idea to divide systems up into territories then rotate admins around. No two admins are the same in how they work. Having another admin review configuration changes and scripts is a great idea for two reasons. One, improvements can be discovered and two, having a second pair of eyes may also provide for more secure configurations. I've heard it said before there are things I know that you don't and there are things you know that I don't know. We learn from each other. Security should be, at it's foundation, a collaborative endeavor. It takes a lot of expertise to build, configure and maintain a solid security program.
As you build a new server, virtual or physical, pay special attention BIOS, disk and access controls closely. Use profiles, templates or a golden image to make your configurations the same for all servers. Aggressively review logs and audit often. Employ compliance standards and enforcement systems like Security Compliance Automation Protocol (SCAP) and Extensible Configuration Checklist Description Format (XCCDF) to ensure your secure configurations stick.
No comments:
Post a Comment