Section 12.5. Security

Previous page
Table of content
Next page

12.5. Security

It is important to understand the security implications of using the HP-UX system recovery tools. When setting up the Ignite-UX server, certain services may be required to run, such as NFS, TFTP, and BOOTP, as well as optional commands such as bootsys. You should evaluate the security policies of the organization prior to setting up these recovery tools and examine the risk factors associated with running these protocols and commands. You should also review the network environment. Will firewalls be crossed, and what restrictions will be imposed?

You can disable some of these services and commands when they are not being used. For example, the bootsys command that initiates remote booting of a client from the Ignite-UX server may be blocked on specified servers (refer to the bootsys manpage). Or if the organization has a security policy stating that NFS cannot be used on any server, consider running make_tape_recovery on each local client instead of make_net_recovery (or disabling NFS after creating each make_net_recovery archive).

Remember that system recovery typically creates two NFS mount points: one for the directory on the Ignite-UX server containing client configuration information and another for the client archive. Also recall that the Ignite-UX server is not necessarily the same machine as the archive server. When the archive server is different from the Ignite-UX server, the /etc/exports file should be modified to allow access only to the client(s) being archived.

An Ignite-UX server may be configured to disallow access by anonymous clientsfor example, by providing temporary IP addresses for installation and booting only to certain network interfaces that are identified by link-level hardware MAC addresses.

Consider the soundness of the disaster recovery planning and implementation. A single system may function as both an Ignite-UX client and server. But if the server fails, from where will it be recovered? If the environment is compromised, then how, and from where, will it be rebuilt? Even where two or more Ignite-UX servers are in use across a network and in locations remote to one another, be sure to have a recovery plan for each recovery server.

It is also important to ensure the integrity and security of the recovery archives themselves. Once an archive is created, the entire system is captured in a file or on a tape media and contains just about everything that an attacker needs to exploit a system or an entire network. For example, there are several password cracking programs that can be used to guess the passwords found in a system's /etc/passwd file. Other critical information such as route tables can be obtained from the archive as well. Are the servers and tape libraries physically secure? Is there off-site storage of tape media, and are those remote sites secure? Are proper Unix security practices being followed on the Ignite-UX server?

At the time of this writing, the system recovery archives are unencrypted. This means that the physical security of system recovery images, whether on tape or stored on a network server, is essential.



Previous page
Table of content
Next page
Backup & Recovery
Backup & Recovery: Inexpensive Backup Solutions for Open Systems
ISBN: 0596102461
EAN: 2147483647
Year: 2006
Pages: 237
Authors: W. Curtis Preston
BUY ON AMAZON
SQL Tips & Techniques (Miscellaneous)
Java for RPG Programmers, 2nd Edition
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
Comparing, Designing, and Deploying VPNs
The Oracle Hackers Handbook: Hacking and Defending Oracle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy