HP NonStop Networking


The Expand Network

The Expand subsystem enables connection of as many as 255 geographically dispersed HP NonStop servers to create a network with the reliability and capacity to preserve data integrity, and potential for expansion of a single HP server.

Understanding the Expand Network

Expanding (networking) two or more HP NonStop servers, configured through one of several network protocols, makes each remote system as accessible as the local system. When Expand software is configured and users and files have appropriate network accessibility, resources on remote systems can be as easily referenced and used as local resources (see Figure 2-2).

click to expand
Figure 2.2: Expand System Environment
Nodes

Each HP NonStop server system in the network is referred to as a "node." It has a unique serial number assigned by HP for sales and service purposes. Each node is also assigned a unique name and number by the customer for internal use. Names begin with a "\", such as \CUST1. The node is also assigned a number in the network between 0 and 254. Users reference the node by its name.

Nodes can be added without disturbing other nodes. When done online, the new node queries its neighbors to determine other accessible nodes on the network. Likewise, when a node is disabled, the other nodes recognize this fact.

AP-ADVICE-NETWORK-01 Use SCF maps to list all nodes on the network. Compare list to network diagram provided by operations.

Unattended Sites

Due to the reliability of HP NonStop servers, they can be installed at unattended sites. Such sites present extra risks. The Corporate Security Policy and Standards should dictate the physical security for the unattended sites and how the resources and data on the unattended systems will be secured to prevent unauthorized access.

Security issues that must be addressed are:

AP-ADVICE-NETWORK-02 Network access makes the data more vulnerable to disclosure or corruption.

AP-ADVICE-NETWORK-03 Secure 'dangerous' utilities at the unattended site for local access only.

AP-ADVICE-NETWORK-04 Secure SUPER.SUPER at the unattended site to both local and remote access.

Controlling the Addition of Nodes to the Network

There are several security issues concerned with network configuration. Nodes can be added to the network without disruption of the network.

All Corporate Security Policy and Standards should mandate the creation of an up-to-date diagram of the HP NonStop server Expand network.

AP-ADVICE-NETWORK-05 Procedures to review the network periodically and monitoring to verify that only proper connections exists

Max System Number

The MAX SYSTEM NUMBER defines the maximum number of nodes that the local node will 'recognize' on the network. This value is set during a COLD LOAD or SYSGEN. The default (and maximum value) is 254.

If the MAX SYSTEM NUMBER on each node matches the exact number of authorized systems on the network, additional nodes cannot be easily be added.

RISK The downside of such a requirement is that when a legitimate node must be added to the network, each existing system will require a SYSGEN to recognize the new node.

If the MAX SYSTEM NUMBER on each node is greater than the number of authorized systems on the network, additional nodes can be added.

RISK Adding an IP address to the network is easy; however, it would require collusion with an inside employee to configure the network to recognize the unauthorized node. The risk of an unauthorized node being added to a network can be mitigated by:

AP-ADVICE-NETWORK-06 Reviewing the Network Map regularly to verify that only authorized nodes are configured according to the Network Map.

AP-ADVICE-NETWORK-07 Restricting physical access to the Expand network cabling.

AP-ADVICE-NETWORK-08 Restrict access to the SCF commands that configure the Expand network.

Controlling Access Within the Expand Network

Four factors can be used to control whether or not a user can access files or resources on a remote node:

ExpandCan be configured to prevent PASSTHRU access from one node to others.

CMON*Can be used to control user logons by IP address.

For information on using CMON to control remote access to a node, see the Part Four section on CMON.

File Security*Remote access to individual files can be restricted by Guardian Security vectors or Safeguard DISKFILE, SUBVOLUME or VOLUME Protection Records on each node.

For information on securing files against remote access, see Securing Diskfiles in Part Five.

REMOTEPASSWORD*REMOTEPASSWORDS in individual User Records on each node determine whether or not the users have remote access.

For information on REMOTEPASSWORDS, see Defining User Access in Part Five. (* These topics are discussed later in other sections).

click to expand
Figure 2.3: Expand and Network Security
PASSTHRU_<ON OFF>

PASSTHRU is an Expand Profile parameter used to control 'pass through' access from one node to one or more other nodes. When a user on a node that is configured PASSTHRU_OFF attempts to access resources on another node, the attempt will be denied . But users on other nodes that are configured PASSTHRU_ON will be able to access the restricted node resources. In this manner, PASSTHRU_ON is a one-way street.

PASSTHRU_ON allows access to networked nodes when they are accessed via the current node. PASSTHRU_ON is the default setting.

PASSTHRU_OFF prevents access to adjacent nodes when that access is attempted via the current node.

For example, if a company allows its customers to logon to one node in their network, call it \CUST, but does not want these same users to be able to access files or resources on any other node on their network, \CUST can be configured PASSTHRU_OFF, which prevents these users from specifying resources on other nodes at the TACL prompt. If the users have userids on the other nodes, they can logon to those nodes directly, but not via \CUST.

AP-ADVICE-NETWORK-09 Restrict access to the SCF commands that configure the Expand network.

Discovery Questions

Look here:

NETWORK-NODES-01

How many systems in the network?

SCF

NETWORK-NODES-02

What are the network nodes names?

SCF

NETWORK-NODES-03

What are the network node numbers ?

SCF

NETWORK-NODES-04

What is the MAX SYSTEM NUMBER?

SCF

NETWORK-NODES-05

Is the max number of nodes used?

SCF

NETWORK-NODES-06

Is PASSTHRU_ON?

SCF

TCP/IP

The TCP/IP protocols are a family of data communications protocols that allow communication between heterogeneous systems in a multi-network environment. This allows for communication between HP NonStop servers and other systems.

The HP NonStop TCP/IP subsystem actually consists of a variety of products in the TCP/IP protocol family and provides services at the Network through Application Layers of the OSI Reference Model. The TCP/IP subsystem is the base subsystem for all the other components of the TCP/IP software. It provides a file-system interface to the TCP, User Datagram Protocol (UDP), and IP protocol. The TCP/IP subsystem runs as a single or dual process on the NonStop server.

The ONLY real requirement for Network security (from an end user point of view) is that the data sent across the network be ENCRYPTED. There are administrative security issues such as with any functional application, authenticating who is logging on to control the network and make changes to configurations, routing, encryption key management, etc. Everything else must be handled by the platform and application in question. If each node took good care of its own security, then the risk from all the intrusions would be mitigated. About the only things that are legitimate "network security issues" for HP NonStop server networks are:

  1. Network administration and configuration security

  2. Communication path encryption and key management (a shared concern between the network and production nodes)

  3. Denial of service detection and prevention

All the firewall issues should be handled by securing production nodes appropriately REGARDLESS of whether or not the node is part of a network.

Addressing Remote Hosts

To address a remote host, specify either a host internet address or a host name.

Host Internet Address

A host can have one or more internet addresses on each network to which it is attached. The address is known as IP address. For example, the class A address 38.3.9.24 identifies the network address as 38 and the local host address as 3.9.24.

Host Name

A host name is the official name by which the host system is known to the internet. On an HP NonStop server, the host name can be associated with the system's internet address in the TCP/IP HOSTS configuration file, or the name can be mapped to an address through a name server.

Configuring TCP/IP

SCF is an interactive interface that allows operators and system managers to configure, control, and monitor the HP NonStop TCP/IP subsystem. SCF is part of DSM. The Subsystem Control Point (SCP) provides an interface to the I/O processes of the various subsystems.

The TCP/IP subsystem can be managed programmatically or interactively by sending commands that act on one or more DSM- related objects. The TCP/IP subsystem defines three types of objects:

Processes

Subnets

Routes

Discovery Questions

Look here:

TCPIP-NETWORK-01

Is TELSERV configured on the node?

SCF

TCPIP-NETWORK-02

Is Telnet run on the system to support terminals?

SCF

PROCESS-TCPIP-01

Is the TCP/IP object file running on the system?

Status

Telnet

The Telnet protocol is a general, bidirectional, eight-bit byte-oriented protocol in the TCP/IP protocol suite that provides a standard method of interfacing terminal devices and terminal-oriented processes to each other. A Telnet connection is a TCP connection that contains Telnet control information.

On HP NonStop servers, the Telnet application allows users to emulate a virtual terminal connected to a remote host. Users can connect to any remote host on the network that has a Telnet server.

The Telnet subsystem is a server and uses the sockets library routines of the TCP/IP subsystem for TCP access to accommodate the incoming Telnet applications.

AP-ADVICE-NETWORK-12 Determine if TELSERV configured for communications on this node.

AP-ADVICE-NETWORK-13 Determine if any virtual terminals or applications use the Telnet communication method.

Discovery Questions

Look here:

TELNET-NETWORK-01

Is TELSERV configured on the node?

SCF

TELNET-NETWORK-02

Is Telnet run on the system to support terminals?

SCF

PROCESS-TELSERV-01

Is the TELSERV object file running on the system?

Status

Dial Access

Dial access uses modems and a phone line to provide access to interactive computers. Banks of dial access modems provide access for many different types of users using many different types of applications.

People with dial access needs are typically:

HP service personnel doing remote support

Vendors providing off-site customer service

System managers and other key employees working from home

Interactive Access To The Operating System

The goal in providing dial access is to give the user access to TACL or another command interpreter in a secure manner.

RISK An unauthorized user can repeatedly attack the dial access userid and password without physically being present.

RISK A modem disconnect can leave a dial access session incomplete, ready to be acquired by the next user using the modem.

RISK Clear-text transmissions are extremely easy to monitor and interpret.

The mitigation of risk includes adding physical control over the dial access port, increasing authentication methods , providing transmission security and aggressive auditing of dial access activity.

Hardware and Software Involved

Use of a dial access port requires:

A modem called the Host Modem connected to the host computer

A modem called the Remote Modem connected to the computer being used by the person who wants dial access

Software in the destination computer that emulates a terminal on the host computer

Physical Control

Physical controls can be used to ensure that the dial access port is only available when there is a need for its use.

Dial Port Enabling

Physical enabling requires human intervention to enable the modem. To use the dial access port requires calling the computer room and asking an operator to plug in the modem and start the command interpreter process. Another call is needed afterwards to request that the operator disable the dial access port.

This level of security can be quite high, since human authorization and action is required to enable the system. It is also inefficient, since a human is required, and may be open to error when the disabling operation is not performed in a timely manner.

Dial Back Modem

Dial back modems are used to secure dial access ports. The user dials a dedicated processing facility and enters a userid and password. That userid is used by the dedicated facility to look up which number to call back. When the return call is made, the command interpreter would be created on the NonStop server.

RISK This security method is unreliable because of the advent of call forwarding services from the user's local telephone company. It is possible for a malicious user to set the call forwarding feature on the authorized user's home phone number in order to force the call back to be transferred to the malicious user's location.

This method was used successfully by hackers in the 1980s. The use of dial back modems declined at that time.

Additional Authentication

Once a person has access to the dial access ports, the user must be authenticated. For many purposes, the userid and password can serve as sufficient authentication, but specific Corporate Security Policies and Standards may require a more thorough authentication process.

Using A Cryptographic Token

A cryptographic token adds additional authentication using the concept of token ownership. If the token is unavailable through theft or fraud, the logon cannot occur. The cryptographic token authentication may take place at the point at which the modem connects or as part of the logon process.

Logical Port/User Restriction

Communications Control

Logical communications control software on the HP NonStop server must reset the dial access port's command interpreter whenever the host modem detects a disconnection.

$CMON Control

The HP NonStop server operating system has provisions for a process called $CMON. The $CMON process (refer to section on $CMON) can support PORT and USER based restrictions, which can be used to limit which userids can be used with a dial access modem. For example, $CMON can be setup to allow technical support to use a dial access modem without permitting any other userids access.

3P-CMON-DIALUP-01 Use a CMON product that allows users to be identified and restricted for dialup access.

Firewall

An external firewall can be used to limit access to the HP NonStop server to only those parties that can successfully pass the firewall. This supports and enhances the network security. The firewall machine can protect multiple HP NonStop server installations.

The firewall must limit access to the NonStop servers using PORT address limitations. The firewall itself must be secured to prevent unauthorized modification and fraudulent use.

Encryption

If the contents of the dialup access session are sensitive, those contents should be encrypted to avoid communication sniffing.

Encrypting Modems

Encrypting modems use hardware to perform the encryption function. Their use requires each user who might have access to the dial access port to have an encrypting modem that is keyed identically with the host side.

Session Encryption

Session encryption uses software on both the host and on the personal computer that the person dialing in is using. The software encrypts information before transmission and then decrypts when receiving information.

Auditing

All dial access activity must be audited . The degree of auditing used is dependent on the Corporation Security Policy and Standards.

RISK At a minimum, a record of every failed attempt to access the dial access port must be kept. When a pattern of attack or abuse is discovered , it must be handled immediately according to the Security Policy and Standards.

Safeguard Auditing

In a less-secure environment, Safeguard auditing of logons and logoffs at the dial access port can suffice. With increasing need for security, auditing of transactions such as program execution and file opens/ closes becomes necessary.

Third Party Key-Stroke Level Auditing

A third-party package that provides keystroke auditing can be used. The characters of every command are recorded to an audit file and reviewed on a regular basis, usually daily, to detect unexplained or unauthorized entries.

3P-ACCESS-AUDIT-01 Use a third-party access product that can perform keystroke audits on communication lines.

Best Practice Recommendations:

Use port controls on the host side to ensure that only authorized personnel can use the dial access port

Use communication control software that ensures that the port command interpreter is reset whenever a host modem disconnection occurs

Use additional authentication to ensure that the person attempting to use the system is authorized

Use session encryption to ensure that the contents of the session cannot be revealed

Use keystroke auditing to monitor the session's activities

Discovery Questions

Look here:

DIALUP-NETWORK-01

Is Dial Access configured on the node?

SCF

DIALUP-NETWORK-02

How is Dialup access used on the system?

SCF




HP NonStop Server Security 2004
HP NonStop Server Security 2004
ISBN: 159059035X
EAN: N/A
Year: 2004
Pages: 157

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net