A Decision Maker s Guide to Securing an IT Infrastructure

Transcription

1 A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose of this guide is to cut through the jargon, and help buyers understand the options available to them. For more help making your choice, please contact Rackspace the home of Fanatical Support

2 Introduction This document is intended to explain the options available that can assist in securing a hosted infrastructure and how to best protect the infrastructure from malicious attacks. It is also intended to give advice on setting a security policy and some best practices for securing an IT environment. If insufficient security expertise exists in-house, then finding a partner with the relevant skills and knowledge (whether a specialist security consultancy or a hosting organisation such as Rackspace) is essential. Basic Security Physical Security When designing an IT infrastructure, physical access to servers should be one of the initial considerations can this be limited and monitored if hosted in-house? If not, then outsourcing to a hosting provider such as Rackspace that denies third-party physical access to data centre resources should be explored. Hosting partners or data centre providers should have 24x7x365 on-site security guard presence, restricted access to third parties, multi-factor access controls (e.g. biometric scanners and proximity access cards), 24x7x365 CCTV monitoring, full fire suppression systems, and other physical security best practices recommended by the ISO/IEC information security standard. Information Security Policy The first step towards securing your IT infrastructures is to decide what you are really trying to protect, and what you are trying to protect against. This should be clear from your organisation s security policy if you do not already have a policy, this should prompt you to consider your priorities around: which of your information must remain confidential what integrity of information must be maintained what protection you need against unauthorised access which availability you need to ensure to your information and systems which regulatory or legal obligations you need to comply with, in your home jurisdiction and (potentially) abroad Login IDs and Passwords There are many different ways in which an IT infrastructure can be attacked, ranging from brute force password cracking methods to sophisticated attempts to infiltrate servers through code vulnerabilities. Protection can begin with something as simple as removing or changing any default login IDs (such as administrator, admin, root, etc.) to something less obvious like ensuring that complex passwords are in use. Ideally, any password used should have a minimum of 8 characters and contain a mixture of capital letters, lowercase letters, numbers and symbols to reduce the possibility of hacking. It is good practice for organisations to set internal, mandatory password policies that are similar to this for all users both on servers and desktops. Centralised user management makes it easier to implement system and user policies such as passwords.

3 Hardware Firewalls The first line of defence in any IT infrastructure should be a firewall. These act as a gatekeeper, examining each packet trying to enter, and blocking those that do not meet the specified security criteria. Firewall configurations can be as granular as desired, blocking all traffic except those on certain ports (e.g. port 80 for web traffic, or 443 for secured web traffic). When configuring a firewall, best practice dictates to block all non-required network traffic. To ensure that all changes are easily tracked, any changes to the initial firewall rule set should be recorded within an internal Change Management system. Additionally, the default username and password to login into the firewall should be changed using the guidelines above, before placing it on the Internet to reduce the opportunity for hackers. Access to this administrative login should be limited to prevent confusion and rule changes being made without approval. In addition to their gatekeeper functionality, Firewalls are often used to set up Virtual Private Networks (VPNs), to allow secure remote access to servers. VPNs are set up to create secure tunnels through the Internet to protect the confidentiality of transmitted data from one location to another. To ensure swift recovery in the case of a hardware failure, ensure that the firewall configuration is reviewed and backed up regularly. Any rules that are no longer required should be recorded in a Change Management system and removed. Firewall logs should also be examined often for intrusion attempts and backed up to ensure security of the infrastructure. Software Firewalls While hardware firewalls are more flexible and have more functionality, software firewalls (such as IP Tables or the Windows Firewall) are also available. However, these should only be considered if there is no budget for a hardware firewall, and then should only be used for smaller configurations (e.g. single servers). Patching Keeping operating systems and applications up to date with the latest patches and service packs is a simple but effective way to deter hackers. Many vendors release new patches and service packs every month for recently discovered security flaws, which should be installed as soon as they are available to retain the integrity of the servers. It is important to note some custom applications may develop performance issues as a result of OS patching. To avoid this, it is recommended to first apply released updates and patches to test or development environment that are similar to the live production environments. This way you can identify the effect of the patches on your applications. In addition to patching server operating systems and applications, hardware firmware should also be kept up to date particularly on firewalls to ensure that no vulnerabilities in the OS are left un-patched. Anti-Virus Anti-virus is essential on all servers and desktops. However, it is only truly effective when it is managed properly. Once installed, it needs to be updated regularly, and scans should be run daily. Ideally, the log files generated by the chosen anti-virus software should be regularly reviewed to ensure nothing is missed.

4 Advanced Security Hardware Web Application Firewalls Web Application Firewalls (also known as a WAF), are often called Deep Packet Inspection Firewalls, because they examine every request made to the web application layer (OSI-layer 7, or HTTP/HTTPS/SOAP/XML-RPC/Web Service layers) and either permit or deny access depending on the rule set configured on the device. A WAF can help to protect internet applications and data against attacks such as SQL injection, cross-site scripting, and brute force attacks. A Web Application Firewall should be used in conjunction with a standard, network firewall for comprehensive security for web-based applications. They are designed to prevent attacks that network firewalls and Intrusion Detection Systems (IDS) cannot. Intrusion Detection Systems (IDS) An IDS inspects all inbound and outbound network activity, and identifies suspicious patterns that may indicate an attack or attempt to compromise a system. Hardware, software, and fully managed IDS options are all available, and while all can be a considerable investment, they are invaluable in protecting IT infrastructure from hackers, worms and even internal threats from compromised laptops, etc. From an IT management perspective, the fully managed IDS option may be the best solution these are usually provided, managed and maintained by external organisations. These organisations monitor any alerts that arise on the IDS and take action according to their customer requirements. Monitoring an IDS in-house can be an arduous task if the relevant expertise (which can be expensive) is not in place logs can often be complicated and difficult to understand. An IDS is not suitable for every environment smaller organisations with few servers may not need one, however, compliance or industry regulations (including PCI DSS) often require an IDS within an IT infrastructure. DDoS Mitigation Distributed Denial of Service, or DDoS attacks occur when attackers flood servers (usually web servers) with traffic from multiple sources in an attempt to prevent legitimate access to the server or website. These are often catastrophic, bringing servers and websites to a complete stop due to the high level of traffic that is flooding them. Preventing DDoS attacks can be very difficult, due to the complexity of attacks, and because many of them are delivered over the same port as legitimate web traffic. However, some hosting organisations are able to provide a mitigation service against DDoS attacks. Rackspace s PrevenTier service is one such solution that can be brought online within a few hours to restore systems that are under DDoS attack. Software Code Vulnerabilities Even with all the above in place, if application code is badly written or contains errors then vulnerabilities can be opened up, potentially compromising security and leaving servers open to hackers. Code authors should carry out manual code checks or utilise one of the many tools that scan code for security vulnerabilities automatically. A simple web search can offer up many such tools for purchase and download.

5 Application Vulnerabilities When configuring applications (including databases and web services, such as Microsoft s IIS) on servers, follow the best practices for securing these to ensure that no vulnerabilities are in place. Best practices for securing applications can be found on many websites, and security firms can also be engaged to audit and recommend resolutions to vulnerabilities. How else can I improve security? Penetration Testing Many specialist firms exist that can perform penetration testing on IT infrastructures. Sometimes called ethical hackers, these organisations try to break through security measures and provide a report with recommendations on how to improve security and prevent malicious intrusion. Some industry regulators (such as PCI DSS) require that Penetration Testing is carried out on a regular basis. Vulnerability Scanning There are several reputable organisations that can carry out on-line vulnerability scans of servers and network infrastructures. Running these scans will identify devices within an IT infrastructure that are open to known vulnerabilities the resulting report can then be used to fix the vulnerabilities before they are exploited. However, these scans can be intrusive and consume large amounts of processor or memory power thereby reducing the capacity of the server. This usually means that these tests are best run outside of normal operating hours or before a new server is brought into active service. Server Hardening Patching is the most basic form of server hardening, but this can be extended in many ways. Methods for server hardening include: Ensuring each server fulfils one role only e.g. a web server only runs web services (such as Microsoft IIS, or Apache) Remove all non-essential applications most servers have multiple applications installed as standard. Any that are not required for the day to day running of the server should be removed to reduce the possibility of compromise Disable any non-essential services on Windows servers in addition to multiple applications installed as standard, many different services run on Windows servers by default. These should all be checked, and if not required disabled Lock down vulnerable ports, such as FTP (File Transfer Protocol) and SMTP (Simple Mail Transfer Protocol) to only permit use by authenticated users this will minimise the chance of them being hacked and misused Disable ICMP (Internet Control Message Protocol) on all servers many hackers constantly scan the Internet sending ICMP echo requests (also known as pings) to random IP addresses in the hope that an unsecured server will respond. Disabling this prevents servers from responding to such requests and effectively hides them Network Design When designing an IT infrastructure that includes web and database servers, it is good practice to segregate the web and database servers. There are several different ways in which this can be implemented, including utilising different TCP/IP subnets on the web and database servers, setting up a Demilitarised Zone (DMZ) for the database servers to reside in, or ensuring the database servers have no public TCP/IP addresses. This helps to protect the data held on the database servers, which is often sensitive.

6 Compliance and Security Accreditations Many industry standards include some of the security requirements addressed in this document. When planning an infrastructure that requires accreditation or compliance, it is important to partner with an organisation with the experience and know-how of designing and implementing solutions that can comply with relevant standards and regulations.. Currently, the most common IT security standards are: PCI-DSS (Payment Card Industry Data Security Standard) The Payment Card Industry Data Security Standard is a global information security standard defined by the Payment Card Industry Security Standards Council (PCI SSC). The purpose of the standard is to reduce credit card fraud. This is achieved through increased controls around data and its exposure to compromise. The standard applies to all organisations which process, store, or transmit cardholder information. SAS-70 (Statement on Auditing Standards) SAS 70 is an international auditing standard developed by the American Institute of Certified Public Accountants. SAS-70 is designed to audit the internal controls and processes of service organisations annually. There are two types of SAS-70 audits Type I only examines the controls that are defined by the service organisation. Type II additionally tests and audits the operation and effectiveness of the specified controls during the review period. IS ISO/IEC is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls. Using Rackspace as an example, this helps Rackspace to protect customer and Rackspace information assets. IS ISO/IEC (formerly known as ISO/IEC 17799:2005, based on BS 17799) is the standard for information security controls published by the International Organisation for Standardisation (ISO). The standard includes advice on aims and implementation of the controls, but does not mandate specific controls because each organisation will have unique requirements based on a specific risk assessment. The Rackspace information security programme is based on ISO/IEC policies and procedures. Sarbanes-Oxley (aka SOX) Organisations that are required to be compliant with Sarbanes-Oxley, may also need to perform control assessments on their outsourcing partners (e.g. Hosting Providers), as well as test that their controls are effective. Alternatively, organisations with Sarbanes-Oxley compliance requirements can rely on Service Providers that have been audited to SAS 70. Sarbanes-Oxley Act accepts SAS 70 in relation to section 404, because a SAS 70 audit provides an external, independent evaluation of service provider controls, their execution and effectiveness. Conclusion There are many aspects to securing an IT infrastructure, and not all of them are relevant to every hosting scenario. When evaluating how to secure your IT Infrastructure, the first priority is to ensure compliance with your own security policy and with any legal or regulatory requirements. If confusion still exists, security consultancy firms can give advice and help implement security for on-premise solutions. Alternatively many hosting organisations (including Rackspace) can offer advice on securing hosted infrastructure and are often able to provide many or all of the services discussed in this document on a fully-managed basis.