University of Glasgow bastion host policy

University of Glasgow bastion host policy

Purpose

The purpose of this Policy is to ensure that all University computer systems that provide network services or applications are configured and operated with appropriate levels of security. The University's Information Technology infrastructure provides a comprehensive set of centrally managed network services and applications, supported by specialist teams that have responsibility for their day-to-day operation and security requirements. In addition, central support staff liase with the University of Glasgow Incident Response Team (UGCirt), to help implement additional proactive network service and applications security measures. However it is clear that there are significant numbers of decentralised servers operated by departments, research groups or individuals, for which the operational and security standards are unknown. This Policy defines the operational and security standards that must be applied to decentralised as well as centralised servers. In most cases departments or research groups may find it  more appropriate to make use of central server provisions rather than deploying and incurring the significant overheads of operating their own systems. This is particularly true for, Web, E-mail, File store, DNS and DHCP/BootP services.

Scope

This Policy applies to all network systems that provide services or applications that support the teaching, research or administration functions of the University. Although the primary focus will be on public servers, accessible from on campus and the global Internet, the Policy applies equally to Private intranet servers. The proliferation of network servers increases the risk of systems compromise due to the extensive and increasing number of vulnerabilities affecting most popular operating systems, native TCP/IP services and applications. Network scans of the University's IP address space are commonplace and designed to probe for known vulnerabilities in network systems that can be exploited and lead to systems compromise. Recent history concerning the CodeRed and Nimda attacks highlighted the number of vulnerable Web systems on campus including a large number of systems supporting Web based management agents. In most modern operating systems the distinction between server and workstation environments is blurred with many workstations running or capable of running server software that could pose a security risk. The aims of this Policy are as follows:

  • Define the overheads in terms of the management, operation, support and security functions, associated with deploying a network server
  • Identify all network servers and establish their purpose, requirements, user base and the personnel responsible for them
  • Reduce wherever possible the number of decentralised servers by promoting central services and applications as viable alternatives
  • Limit the exposure of all network servers to those services and applications that are critical for their primary function
  • Establish access control lists (ACLs) for common Internet applications e.g., WWW, e-mail, ftp and DNS. The ACLs would restrict Internet access for specific applications to the servers registered to support those applications.

Identifying the network systems that could present a security threat and establishing procedures and guidelines to mitigate those threats will be critical to the success of the University's information security strategy.

Policy

A Bastion host is a network system that may be exposed to attack from other internal or external network systems. Because of this, every effort must be made to ensure that the Bastion host is deployed, configured, operated and managed in a manner that mitigates this exposure. Generally a bastion host will fulfil a specific role and all unnecessary services; protocols, applications and network ports will either be disabled or removed. Trust relationships with other network systems would be avoided to guard against 'Key to the castle' attacks. Bastion hosts require day-to-day management and ongoing support, generally from Systems administrators' expert in the operating systems, applications, protocols and potential systems vulnerabilities. 

This Policy applies general Bastion host principles to the network servers and hosts connected to the University's campus networks.

Before deploying a Network server and associated services or applications a department or research group should consider using centrally provided solutions. Centrally provided services and applications will offer managed solutions for the majority of department and research group requirements i.e.,

  • DNS services
  • DHCP/BootP services
  • E-mail hubs
  • WWW services
  • WWW caches
  • File services for Unix, Novell and Microsoft environments
  • Print services as above
  • Directory services
  • Authentication services
  • Remote access services
  • MIS services

If there is a legitimate reason why a department or research group should deploy their own solutions then this must be done in a secure and supportable environment. The following sections define the University's general requirements for deploying network servers, services and applications. Operating system, service and application specific requirements will be advertised and maintained by the University of Glasgow Computer Incident Response Team (UGCirt).

Role

The role of each network server should be clearly established with respect to:

  • Its purpose - services and applications
  • User community- who can access it
  • Sensitivity of data stored or flowing through it
  • Legal and regulatory requirements
  • Security considerations - Public vs. private requirements
  • Availability requirements - importance of services offered

Location

A network server must be dedicated to the specific tasks associated with its role and located in a lockable, restricted access room with environmental and network provisions commensurate with the importance of the services and applications it provides i.e., Network server locations must address the following requirements:

  • Physical security and access restrictions
  • Air conditioning
  • Emergency power source e.g., Uninterruptible Power Supply, UPS
  • Fire prevention
  • Dedicated network ports

These requirements preclude the deployment of a network server or dual role server/workstation in staff offices or other areas with little physical security and or environmental provisions.

Management support and operation

The management, support and operational requirements for each network server must be established. The personnel responsible for each role must be identified, i.e.,

  • Systems administrator(s) - where appropriate
  • Systems operator(s) - where appropriate
  • Service or applications support specialists - where appropriate
  • Hardware including environmental maintenance and software maintenance contractors - where appropriate

The designation and number of individuals involved will depend on the importance of the network server and the resources available. However even a relatively small network server, delivering modest network services or applications will require at least 2 individuals to be identified with at least one being the systems administrator.

Operational and security procedures must be established, documented and maintained by systems managers or administrators. These procedures will include the following

  • Asset register detailing all hardware and software components, including licensed software
  • System change procedures including reversion procedures
  • System configuration details including security measures and details of admin/root accounts
  • Hardware and software contractors call out procedures where appropriate
  • System recovery procedures including location of system backup/restore media, Network, operating system, service and applications installation media and license keys where required
  • Physical security and access procedures - Who is responsible for physical access security and who has physical access privileges.

Initial server builds or recovery procedures must be exercised with extreme caution; servers may be at their most vulnerable during the system build process since security patches, hot fixes and ACLs tend to be applied late in the process or indeed after it completes.

System administration

System administrators will be responsible for most aspects of the day-to-day operation and support of their network servers. They should have experience with the operating systems, services, applications and network protocols running on the servers they manage and understand the threats their systems may be exposed to. Because of their privileged position and the likelihood that they will come into contact with personal, restricted or sensitive information they must adhere to the University's guidelines for network and systems administrators. Systems administrators will implement, configure, support and monitor the operational and security procedures associated with the network servers they manage; in particular system administrators must:

  • Understand the role of each server and its importance to the user community served
  • Understand the range and types of vulnerabilities that may affect the network server, services and applications; conduct a risk analysis for those vulnerabilities, in collaboration with UGCirt if required
  • Perform regular systems maintenance functions with respect to the following:
    • Operating system patches and hot fixes Service and application patches and hot fixes
    • Operating system, service and application software updates and new releases
  • Implement vendor security configurations and recommendations. Systems administrators should familiarise themselves with all vendor specific security recommendations and relevant 'best practice' guides advertised by UGCirt
  • Implement procedures that ensure early notification of newly detected vulnerabilities and vendor security patches
  • Discuss security requirements with UGCirt.
  • Limit operating system options, features, services and applications to those essential for the primary purpose of the network server
  • Disable all IP network port numbers that are not required for the servers primary role
  • Install proactive security measures where appropriate, e.g.,
    • TCP-Wrappers or their equivalents to limit the servers visibility
    • Anti-virus software to protect against malicious code
    • Access control lists (ACLs) to restrict access and service/application visibility
    • Firewall shims to extend ACLs with statefull inspections
  • Enable operating system, service and application logging to record the following:
    • Connection attempts
    • Authentication results
    • Network interface statistics
    • Unusual events
    Wherever possible logs should be forwarded to a secure system for storage. It is essential that internal system clocks be synchronised via the Network Time Protocol, NTP, to ensure accurate correlation between evidence gathered from system logs.
  • Review system logs regularly
  • Checkpoint system file store with an auditing tool e.g., tripwire to help detect root kits or other altered system images
  • Monitor systems operating parameters for unusual events, processes, access problems, disk anomalies
  • Ensure all user access is authenticated and advise users on system authentication requirements e.g.,
  • University's password recommendations, strong encryption (SSH) for remote access to user accounts if required
  • Limit user rights to the minimum necessary to conduct their work
  • If remote management access to a server is required then enforce strong encryption via SSH
  • Restrict the use of the administrator account to tasks associated with systems administration
  • Only access administrator accounts from systems and networks that are known to be secure
  • Disable or delete old or unused accounts for users that no longer need access
  • Produce disaster recovery plan for server, services and applications
  • Perform regular system backups and maintain at least 2 copies; one copy should be stored locally and the other at a convenient remote site.
  • Test restore/recovery procedures periodically
  • Report all security incidents to UGCirt Request vulnerability scans from UGCirt at least twice per year
  • Ensure compliance with all University information technology policies, UK laws and regulations

There may be occasions where network server deployments cannot be adequately secured by local system, service or application tools. In such cases alternative provisions should be discussed with UGCirt and the Computing Service department. It is likely that UGCirt and Computing Services would recommend deploying a suitably configured network firewall to protect such servers.

If a network server subsequently causes disruption to other systems, either locally or remotely, then the system administrator(s) must take action to rectify the situation. Disruption may be caused by software malfunction, users actions or system compromise. Disruptions caused by system security related incidents must be reported to UGCirt who will be responsible for ensuring that the incident is handled appropriately. If prompt action cannot be taken to rectify any disruption then the network server may need to be disconnected from the network until the problems can be properly addressed.

Network server registration

In order to ensure that the roles, management, operation and security requirements associated with network server deployments are fully understood and adequately addressed, all network servers must be registered with the University's Computing Service department (GUCS). Failure to register a network server will be considered a breach of this policy and may result in loss of service or severe operational difficulties due to access restrictions and future network developments, which will only address registered server requirements. Network server registrations may be submitted to GUCS as follows:

E-mail:    admin@gla.ac.uk

Internal mail:

Admin section
IT Services
James Watt North Building

Since registration details may contain sensitive information; secure e-mail or hand delivery of documentation is recommended.

Department or research group heads should provide as a minimum of the following registration information:

Department or Research group name:

Head of Department or Research group:

Postal Address

E-mail address:

Telephone number:

Statement of purpose and reasons for not using central provisions:

Statement by Head of Department or Research group:

I understand the obligations associated with deploying a network server and associated services and applications. I confirm that the server deployment will conform to all University Information Technology Policies and relevant UK laws and regulations. I will ensure that the network server will be securely located, managed and operated in a professional manner and in accordance with the University security requirements.

Signed:

Date:

Technical Information

System administrators contact details:

Name:

E-mail

Telephone

Emergency call out procedures: What to do if a serious incident is detected out-with normal working hours

Server location, physical security and environmental provisions

IP address of server:

Network connection point(s) code - this information can be retrieved from the UTP outlet connecting the server to the campus network

Servers domain name:

Server hardware specification:

Server Operating system and version:

Services and applications offered:

Services and applications may be defined by their common name and the IP port numbers used to access them, e.g., WWW server on port 80

Network access restrictions

What access restrictions will be required; these would be used to construct ACL filters to restrict access to specific constituencies e.g., local IP address ranges or certain remote sites, etc.

Internet application server access restrictions

This Policy introduces access restrictions for common Internet applications, implemented on the University's SuperJANET access routers via customised access control lists (ACLs). The access restrictions will ensure that common Internet applications will only be available on public servers that have been configured and registered to support them. This Policy will reduce the potential impact of network scans on common Internet application port numbers by limiting the exposure of other network systems that run services on those ports. It will therefore be necessary to register all Public Internet application servers otherwise the campus SuperJANET access routers will not have updated ACLs; effectively blocking Internet access to unregistered servers for common Internet applications. Initially the Internet application servers controlled in this way will be as follows:

·        WWW servers

·        FTP servers

·        SQL/database servers

·        Internet file store servers

·        E-mail relays

·        DNS servers

·        Network news servers

·        Remote access servers

·        Streaming servers

References

This policy is based on information gathered from a variety of sources including:

Local procedures and experience Consultation with interested parties Other Organisations and Institutions

The following Organisations and Institutions have provided reference material and deserve acknowledgement:

Athabasca University -decentralised Server Policy

Australian National University - Defensive Computing Strategies for Desktop Computers and Local Area Networks

RFC - draft-ietf-ipsp-requirements-02.txt:IP Security Policy Requirements

UC Davis - Administrative Computing Systems

University of Minnesota -Server Installation Security Guidelines

University of Pennsylvania - Critical PennNet Host Security Policy

University of Ulster -Server Connection Policy

Security Policy Checklist