Use of (Central) Load Balancers Code of Practice

Transcription

1 Use of (Central) Load Balancers Code of Practice Introduction This code of practice is intended to support the Information Security Policy of the University and should be read in conjunction with this document. This code of practice is also qualified by The University of Edinburgh computing regulations, found at: 1. Code of Practice Version [The CoP for any system is expected to develop over time. For this reason, it may be important to track versions of any CoP. This section in the template suggests a framework in which you could record reasons for change to the CoP for the system referred to.] Revision Date CoP Template Author Notes Version Version 04/09/ Tony Weir Initial version 04/09/ Apollon Koutlidis Update detail and review 29/09/ Graeme Wood Minor edit 6/11/ Graeme Wood Minor edit QA Date QA Process Notes 14 Nov 12 Accepted by IT Security WP 15 Dec 14 ITC Sec Working Gp V1.3 Suggested date for Revision of the CoP Author 01/09/14 Tony Weir 01/09/15 Graeme Wood 2. System description Revision Date System Author Notes Version 4/9/12 NS9.3: Apollon Koutlidis Curent revision of Check Point software. CoP Template, Version Jun

2 Build 52.3.nc 29/9/14 NS10.1: Build nc Graeme Wood Current revision of Check Point software. 2.1 System name (Central) Load Balancer. 2.2 Description of system The (Central) Load Balancers provide services with the ability to present multiple instances of an application deployment as a single service. This provides resiliency, scalability and acceleration. 2.3 Data The load balancers route the application data associated with any services which they load balance. Examples of current load balanced services are the University VLE, MyEd, EUCLID. The also store SSL certificates for the services for which they route data, as well as corresponding private keys. Beyond limited caching, they do not store any end application data. 2.4 Components The (Central) Load Balancer service is provided by a redundant pair of Citrix NetScalar appliances. These are hardware devices which run supplier provided firmware with configuration tailored by appropriate IS technical administrators. 2.5 System owner This service is provided by the Unix Section in the IT Infrastructure division of Information Services. 2.6 User base The Load Balancers do not provide any end-user access they route the network traffic for appropriate applications. 2.7 Criticality High. 2.8 Disaster recovery status There are administrative accounts on the Load Balancers which are used by the Unix Section technical staff to control them. A view of the Load Balancer configuration is exported to a separate web service, which allows EASE protected access to the configuration and limited control of services. This is used by IS technical staff who administer end services that the load balancers route traffic for. The (Central) Load Balancers operate as a resilient pair, with separate physical devices installed at two distinct sites. These operate as a fail-over pair, with services automatically failing over to the partner as required. This process is well-documented and thoroughly tested. CoP Template, Version Jun

3 3. User responsibilities 3.1 Data There is no end-user access to the Load Balancers. 3.2 Usernames and passwords A view of the Load Balancer information is exported through a separate web service, which allows EASE protected read-only access to the configuration as well as limited control over specific aspects of the system. This is used by a small number of IS technical staff who administer the end services which the Load Balancers route traffic for. There are administrative accounts for a small number of technical staff. The limited administrative view of the configuration is EASE protected and made available to a small number of IS technical staff in the Applications Division. There is no end-user access to the Load Balancers. 3.3 Physical security The Load Balancers are sited within IS managed data centres. The data centres are appropriately secured. 3.4 Remote/mobile working 3.5 Downloads and removal of data from premises 3.6 Authorisation and access control Administrator access to the Load Balancers is limited to a subset of the local University networks. Any remote access to the Load Balancers must be through these local networks. The limited administrative view of the configuration is EASE protected and access is limited to EdLAN to a small number of IS technical staff. The only data that the Load Balancers store is the systems configuration. Only a small number of technical staff in the ITI Unix Section have access to the Load Balancer accounts. Access is only permitted to administrators. 3.7 Competencies There is no end user access to the Load Balancers. ITI Unix Section staff who have access have been appropriately trained in their use. CoP Template, Version Jun

4 4. System Owner Responsibilities 4.1 Competencies The ITI Unix Section has members of staff with many years of experience in administering the Load Balancers and with experience of managing the current implementation. 4.2 Operations The Load Balancers are updated with appropriate software upgrades to ensure the security of the devices and of end user services which they route network traffic for. Access to the configuration is restricted to administrator logins which are password protected and to which only a small number of ITI Unix Section staff have access to. 4.3 System documentation 4.4 Segregation of Duties Operational information is held within the devices themselves and documentation is provided by the supplier and augmented by local procedural documentation stored on the ITI Unix Section wiki. Administrator users have access to the configuration of the Load Balancers. The limited administrative view of the configuration is EASE protected and made available to a small number of IS technical staff. 4.5 Security incidents Any security incidents related to the Load Balancers would be referred to the IS IRT, who would log the issue and aid with investigation. Any security incident related to the Load Balancers would be reported to the ITI Unix Section head who would appropriately report to the ITI Director. 4.6 Fault/problem reporting 4.7 Systems development Any faults would be raised by the service owners of end user services or by ITI Unix Section staff. If necessary support calls are logged with end suppliers via maintenance contract. There is no local development of the Load Balancer software. Firmware upgrades are provided by the supplier and obtained as part of the systems maintenance contract. The limited administrative view is maintained by the ITI Unix Section on a separate web service. CoP Template, Version Jun

5 5. System Management 5.1 User account management A small number of local system logins are provided for Load Balancer administration. These are only granted to members of the ITI Unix Section with appropriate skill set. A web-based EASE protected limited administrative view is available from a separate web service. 5.2 Access control Only ITI Unix Section staff have access to the Load Balancer administration logins. Only a small number of IS technical staff have access to the limited administrative view of the configuration. 5.3 Access monitoring All logins and each separate administrative operation is logged in the Load Balancers' audit system. 5.4 Change control Change management is organised through the ITI Unix Section service management procedures. Any major change e.g. major firmware revision or change in platform - would be discussed and scheduled with end service providers and communicated through IS alerting processes. 5.5 Systems clock synchronisation Minor configuration changes are requested and recorded via IS Service Management tools (UniDesk) and conform to agreed templates. All servers synchronise their clocks to UTC using the NTP protocol. 5.6 Network management The Load Balancers implement their own IP access controls to limit access to the administrative function and for end service applications to augment existing firewalls to control end user access. 5.7 Business continuity The Load Balancers operate as a fully resilient fail-over pair this function has been rigorously tested. 5.8 Security Control The Load Balancers also provide network ACLs to control end user access to services which they route traffic for these ACLs augment the firewalls which also protect these services. CoP Template, Version Jun

6 6. Third Party 6.1 Outsourcing A maintenance contract is supplied by Citrix. This provides hardware maintenance of the devices, access to firmware upgrades and a support mechanism to investigate faults and discuss functionality. Citrix have no access to the University's Load Balancers. 6.2 Contracts and Maintenance agreement with Citrix. Agreements 6.3 Compliance with the university security policy The agreements and service comply with the university's security policy. 6.4 Personal data There is no personal data on the service and none is exported. CoP Template, Version Jun