Use of (Central) Load Balancers Code of Practice

Transcription

1 Use of (Central) Load Balancers Code of Practice Introduction This code of practice is intended to support the Information Security Policy of the University and should be read in conjunction with this document. This code of practice is also qualified by The University of Edinburgh computing regulations, found at: Code of Practice Version Revision Date CoP Template Author Notes Version Version 04/09/ Tony Weir Initial version 04/09/ Apollon Koutlidis Update detail and review QA Date QA Process Notes 14 Nov 2012 Accepted by the IT Security WP Suggested date for Revision of the CoP Author 01/09/14 Tony Weir Load Balancer CoP, Version 1.1, September

2 2. System description Revision Date System Version NS9.3: Build 52.3.nc Author Apollon Koutlidis Notes Current revision of load balancer software 2.1 System name (Central) Load Balancers. 2.2 Description of system The (Central) Load Balancers provide services with the ability to present multiple instances of an application deployment as a single service. This provides resiliency, scalability and acceleration. 2.3 Data The Load Balancers route the application data associated with any services which they load balance. Examples of current load balanced services are University VLE, MyED, EUCLID. They also store SSL certificates for the services for which they route data, as well as the corresponding private keys. Beyond limited caching, they do not store any end application data. 2.4 Components The (Central) Load Balancer service is currently provided by a redundant pair of Citrix NetScaler 10500's appliances. These are hardware devices which run supplier provided firmware with configuration tailored by appropriate I.S. technical administrators. 2.5 System owner This service is provided by the Unix Section in the IT Infrastructure division of Information Services. 2.6 User base The Load Balancers do not provide any end-user access they route the network traffic for appropriate applications. 2.7 Criticality High 2.8 Disaster recovery status There are administrative accounts on the Load Balancers which are used by Unix Section technical staff to control the load balancers. A view of the load balancer configuration is exported to a separate web service, which allows EASE protected read-only access to the configuration. This is used by I.S. technical staff who administer the end services which the load balancers routes traffic for. The (central) load balancers operate as a redundant pair, with separate physical devices installed on two distinct sites. These operate as a fail-over pair, with services automatically failing over to the partner as required. This process is well-documented and thoroughly tested. Load Balancer CoP, Version 1.1, September

3 Load Balancer CoP, Version 1.1, September

4 3. User responsibilities 3.1 Data There is no end-user access to the Load Balancers. A view of the load balancer configuration is exported through a separately built web service, which allows EASE read-only protected access to the configuration as well as limited control over specific aspects of the system. This is used by a small number of I.S. technical staff who administer the end services which the load balancers routes traffic for. 3.2 Usernames and passwords There are administrative accounts for a small number of technical staff. The limited administrative view of the configuration is EASE protected and made available to a small number of I.S. technical staff. There is no end-user access to the Load Balancers. 3.3 Physical security The load balancers are sited within I.S. managed data centres. The data centres are appropriately secured. 3.4 Remote/mobile working Administrator access to the load balancers is limited to a subset of the local University of Edinburgh networks. Any remote access to the load balancers must be through these local networks. The limited administrative view of the configuration is EASE protected and only available to a small number of I.S. technical staff. 3.5 Downloads and removal of data from premises 3.6 Authorisation and access control There is no end user access to the Load Balancers. The only data which the load balancers store is the systems configuration. Only a small number of technical staff in the ITI Unix Section have access to the load balancer logins. Access is only permitted to administrators. There is no end user access to the Load Balancers. 3.7 Competencies There is no end user access to the system. 4. System Owner Responsibilities 4.1 Competencies The ITI Unix Section has members of staff with many years of experience in administering Load Balancers and with specific training and experience of managing the current implementation. Load Balancer CoP, Version 1.1, September

5 4.2 Operations The Load Balancers are updated with appropriate firmware upgrades to ensure the security of the devices and of end services which they route network traffic for. Access to the configuration is restricted to administrator logins which are password protected to which only a small number of ITI Unix staff have access. 4.3 System documentation 4.4 Segregation of Duties Operational information is held within the devices themselves and procedural documentation is held within the ITI Unix Section wiki. Operational documentation is provided by the supplier and augmented by local procedural documentation stored on the ITI Unix Section wiki. Administrator users have access to the configuration of the Load Balancers. The limited administrative view of the configuration is EASE protected and made available to a small number of I.S. technical staff. 4.5 Security incidents Any security incidents related to the Load Balancers would be referred to the IS IRT team, who would log the issue and aid with investigation. 4.6 Fault/problem reporting 4.7 Systems development Any security incident related to the Load Balancers would be reported to the ITI Unix Section head who would appropriately report to ITI Director. There is no end user fault reporting of this service. Any faults would be raised by owners of end user services or by ITI Unix section staff. If necessary support calls are logged to end suppliers via maintenance contract. There is no local development of the Load Balancer software. Firmware upgrades are provided by the supplier and obtained as part of the systems maintenance contract. Load Balancer CoP, Version 1.1, September

6 5. System Management [Ongoing management of the system has implications for the ongoing security of the system. While some of these matters are dealt with under administrative users above, there are additional responsibilities in managing the system at a lower level.] 5.1 User account management A small number of local systems logins are provided for Load Balancer administration. These are only granted to members of the ITI Unix Section with the appropriate training. A web based EASE protected limited administrative view is available from a separate web service. 5.2 Access control Only ITI Unix section staff have access to the Load Balancer administrative logins. 5.3 Access monitoring Only a small number of I.S. users who provide the end user services have access to this web based limited administrative view. All logins and each separate administrative operation is automatically logged on a remote, independent system. 5.4 Change control Change management is organised through ITI Unix Section service management procedures. Any major change e.g. major firmware revision or change in platform would be discussed and scheduled with end service providers and communicated through I.S. alerting process. 5.5 Systems clock synchronisation Minor configuration changes are requested and recorded via I.S. service management tool (unidesk) and conforms to agreed templates. All servers synchronise their clocks to UTC using the NTP protocol. 5.6 Network management The load balancers implement their own IP access controls to limit access to the administrative function and for end service applications to augment existing firewalls to control end user access. 5.7 Business continuity The load balancers operate as a fully redundant fail-over pair this function has been rigorously tested during acceptance. 5.8 Security Control As above, the Load Balancers also provide network ACLs to control end user access to services which they route traffic for these ACLs augment the firewalls which also protect these services. 6. Third Party [Third parties may be involved as the source provider of the system, or other external organisations and may also be involved in activities related to data held by the system and owned by the System Owner. This section is to draw attention to aspects of managing the system related to involvement by third parties.] Load Balancer CoP, Version 1.1, September

7 6.1 Outsourcing A maintenance contract is supplied by Citrix, the manufacturer of the Load Balancers. This provides hardware maintenance of the devices, access to firmware upgrades and a support mechanism to investigate faults and discuss functionality. Citrix have no access to the University's Load Balancers. 6.2 Contracts and Maintenance agreement with Citrix. Agreements 6.3 Compliance with the university security policy N/A 6.4 Personal data N/A Load Balancer CoP, Version 1.1, September