ClearPath OS 2200 System LAN Security Overview. White paper

Similar documents
Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

AUTHORITY FOR ELECTRICITY REGULATION

SECURITY & PRIVACY DOCUMENTATION

Keys to a more secure data environment

QuickBooks Online Security White Paper July 2017

University of Pittsburgh Security Assessment Questionnaire (v1.7)

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Security+ SY0-501 Study Guide Table of Contents

Cyber Security Requirements for Electronic Safety and Security

Internal Audit Report DATA CENTER LOGICAL SECURITY

Campus Network Design

PCI DSS Compliance. White Paper Parallels Remote Application Server

User Guide. This user guide explains how to use and update Max Secure Anti Virus Enterprise Client.

Ready Theatre Systems RTS POS

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Windows Server Security Best Practices

Locking down a Hitachi ID Suite server

1) Are employees required to sign an Acceptable Use Policy (AUP)?

CompTIA. SY0-501 EXAM CompTIA Security+ m/ Product: Demo. For More Information:

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

The Common Controls Framework BY ADOBE

Ceedo Client Family Products Security

Client Computing Security Standard (CCSS)

ANNEX. Organizational and technical measures

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Information Security Controls Policy

Watson Developer Cloud Security Overview

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

Chapter 9. Firewalls

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Information Technology General Control Review

GUIDE. MetaDefender Kiosk Deployment Guide

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

Integrated Cloud Environment Security White Paper

Safeguarding Cardholder Account Data

Security Architecture

Symantec Network Access Control Starter Edition

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

CA Host-Based Intrusion Prevention System r8

Symantec Network Access Control Starter Edition

EXECUTIVE REPORT 20 / 12 / 2006

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement

Symantec Network Access Control Starter Edition

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Data Security at Smart Assessor

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

CS 356 Operating System Security. Fall 2013

HikCentral V.1.1.x for Windows Hardening Guide

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

INFORMATION ASSURANCE DIRECTORATE

MOBILE NETWORK ACCESS CONTROL

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

CompTIA Security+ E2C (2011 Edition) Exam.

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Protecting Your Cloud

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

BeOn Security Cybersecurity for Critical Communications Systems

7.16 INFORMATION TECHNOLOGY SECURITY

Seqrite Endpoint Security

MIS5206-Section Protecting Information Assets-Exam 1

Total Security Management PCI DSS Compliance Guide

Twilio cloud communications SECURITY

W H IT E P A P E R. Salesforce Security for the IT Executive

Symantec Client Security. Integrated protection for network and remote clients.

COMPUTER NETWORK SECURITY

CA Security Management

Cloud Security Whitepaper

NetDefend Firewall UTM Services

Total Protection for Compliance: Unified IT Policy Auditing

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Security Standards for Electric Market Participants

PCI DSS and the VNC SDK

Data Retrieval Firm Boosts Productivity while Protecting Customer Data

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager

Complying with RBI Guidelines for Wi-Fi Vulnerabilities

9 Steps to Protect Against Ransomware

Checklist: Credit Union Information Security and Privacy Policies

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Complying with PCI DSS 3.0

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

HP Instant Support Enterprise Edition (ISEE) Security overview

McAfee Embedded Control

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

A Review Paper on Network Security Attacks and Defences

XO SITE SECURITY SERVICES

HikCentral V1.3 for Windows Hardening Guide

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Cisco Network Admission Control (NAC) Solution

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

Keep the Door Open for Users and Closed to Hackers

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Layer Security White Paper

CND Exam Blueprint v2.0

The SafeNet Security System Version 3 Overview

Transcription:

ClearPath OS 2200 System LAN Security Overview White paper

Table of Contents Introduction 3 Baseline Security 3 LAN Configurations 4 Security Protection Measures 4 Software and Security Updates 4 Security Analyzers 5 Antivirus Software 5 Spyware Removal 5 IIS Security 5 Firewalls 5 Physical Access Controls 5 Administrative Access Controls 5 In-depth Defense 6 Security Service 6 Conclusion 6 2

Introduction Security in a computing environment is the assurance that data within the environment cannot be accessed or changed without authorization and that the computing environment will continue to provide its intended service without interference from unwanted intrusions. It is by its very nature a careful balance between protection and accessibility. ClearPath OS 2200 servers include controls that allow each client installation to make the tradeoffs that satisfy their security policies while achieving the necessary accessibility. The system LANs connect essential components of the ClearPath server infrastructure, including operations servers and other components inside the physically secured computer center. The AM LAN, IC LAN, IP-LAN, MLAN and FM-LAN are examples of LANs in this category. In this document, the term enterprise LAN means any LAN that might carry business data and might be accessed by a variety of corporate employees and clients. The Operations LAN is the LAN that client administrators and operators use to access the Operations Server. This document focuses on the steps taken by Unisys to make the LANs secure, as well as the actions clients must take to assure that their environment is secure. The Dorado system LAN security policy is an infrastructure security policy that focuses on the steps taken by Unisys to make the LAN secure, as well as the actions customers must take to assure that their environment is secure. Within the ClearPath system LANs, Unisys provides a number of security capabilities, which include: The use of Microsoft Windows authentication and authorization controls. The use of Unisys proprietary authentication authorization controls. Configurations that follow the Secure by default principle However, you must take a number of steps to assure maximum protection. The nature and extent of these steps differ based on how the system LANs are configured. System LAN security is just one part of total system security. It should be part of a comprehensive approach that also includes the following: Isolate applications, workloads, users, and network connections whenever possible. Harden operating systems, virtual machines, and critical infrastructure resources. Use a strategy of defense in depth, with multiple tiers of protection. Encrypt and cloak data in motion. Encrypt sensitive data at rest. A related document, the ClearPath OS 2200 System Security Best Practices (8206 2209), provides high-level security best practices for ClearPath OS 2200 environments. Baseline Security All ClearPath systems are installed with a baseline level of security. You must take additional security steps if the system LANs are not isolated from enterprise or Operations LANs. Baseline security is provided through the configuration of a standard set of hardware and software components. Authentication control limits access to only authorized personnel. The Windows servers on the system LAN use the Microsoft workgroup model, in which user names and group memberships are configured separately on each component. User authentication between these components relies on synchronized user names and passwords. You can use Domain and/or Active Directory security; this implementation requires consideration of the firewall and group membership setup requirements. Unisys establishes and maintains a baseline level of security for all systems and applies changes to the baseline in conjunction with standard system plateau updates. Client-specific input to these baseline updates 3

is limited to the use of site-specific passwords and, in some cases, site-specific user names. Unisys does not explicitly supply Windows security updates; however, product releases contain platform software updates (for example, service packs) as appropriate. All Dorado systems are installed using either a Unisys defined default password, or a client-defined default password that is used repeatedly throughout the installation and setup process. Unisys strongly recommends that you change all passwords set during the installation process to a new set of passwords that complies with your security policies. If this is not done, the passwords used during the installation are retained and are neither private nor secret, nor are they unique across multiple system installations. LAN Configurations System LAN configurations reflect your operational requirements in a variety of ways that might be influenced by system types, technical management choices, and trade-offs between security and convenience of administration. The default and most secure configuration is one in which system LANs are isolated from the enterprise LANs. Unisys strongly recommends keeping system LANs fully isolated from the enterprise LANs to assure that no possibility exists of outside access to the LAN components. In a fully isolated LAN environment, with connections only being made by devices that are determined to be problem free, no need exists for further security protection against external attacks. A system LAN connected to the enterprise LAN through firewalls is less secure. You might choose to use an enterprise LAN connection to provide greater access to operations data from desktop terminals or other devices. However, you must be aware of the potential risks of infection resulting from this form of configuration. The level of security provided by a firewall is extremely dependent on its configuration; therefore, you must configure the firewall to satisfy the site security policies and verify that its configuration is still appropriate after any LAN or security policy updates. Other options include the use of Unisys Stealth or clientsupplied routers that can filter and otherwise restrict access to the maintenance LAN. In a system LAN environment with firewall access to the enterprise LAN, you must take additional security protection measures, such as virus protection; Microsoft software and security updates; and related product updates. Security Protection Measures In addition to the previously mentioned baseline security, you should take some or all of the following steps to provide additional protection. Software and Security Updates Microsoft frequently issues software and securityspecific updates, also referred to as hot fixes or patches. The changes range from modest updates or corrections to more significant areas of change. Given the frequency of change and the fact that the changes are directly made available to clients, Unisys neither tests, verifies, nor regulates the distribution and installation of these changes. Therefore, the responsibility for the application of Microsoft changes must be retained by the client at the site level. Note: Microsoft security fixes could possibly break or restrict a function needed by Unisys operational software. Clients are strongly advised to test these corrections before implementing them in any missioncritical application. Unisys routinely tests distributed service packs and formalized product update levels but has no policy of testing all interim product updates. System security depends on client installation and configuration options. Therefore, you should establish security procedures that address concerns defined in your own security policies. Unisys recommends that you apply critical updates to system LAN components. You should only apply noncritical updates, driver updates, and Service Packs when you are directed to do so by Unisys. Unisys provides specific guidance with regard to the application of updates in Technical Information Bulletins (TIBs). 4

Security Analyzers Security analyzers detect security vulnerabilities within computing systems. For example, Microsoft Baseline Security Analyzer (MBSA) is a free, downloadable security product that provides a streamlined method of identifying missing security updates and common security misconfigurations on systems running the Microsoft Windows operating system, Vulnerability scanners available from several vendors can analyze the potential of attacks through network ports and recommend remediation steps. Unisys uses an external vulnerability scanner on the OS 2200 system configuration before releasing software updates to verify that the system delivered with standard settings has only the required ports open. Antivirus Software Different types of computer viruses require different means of detection and correction. Similarly, antivirus software uses a variety of protection techniques and algorithms. These products have similar goals: identifying, isolating, and removing computer viruses. You should choose an antivirus product that best meets the requirements of your security policy. Unisys runs antivirus software on their computing systems, personal computers, and workstations, as well as security agent software and other intrusion detection software. If the system LANs are not isolated, you should install antivirus software throughout the system LANs and on any enterprise LAN components that could potentially access the system LANs. These components include at least the Service Processors, Operations Servers, Operations Workstations, and optional NTP server. You must update antivirus definition files on a regular basis to ensure that the software addresses currently identified viruses. Spyware Removal Unisys recommends against the use of web browsers to access the Internet from the Service Processor or Operations Servers. Using a browser might result in infection from a variety of malware, including spyware, adware, cookies, and associated tracking software. A number of vendors offer special purpose antispyware software that identifies and removes tracking software. If these are used, sites must comply with the provider s licensing guidelines. For example, some of these tools are free for private use but require paid licenses for commercial use. IIS Security Microsoft Internet Information Server (IIS) is the web server that supports web-based management on the Service Processors and Operations Servers. To protect traffic to and from the server, disable weak, unneeded cryptography protocols, such as SSL 2.0 and 3.0, TLS 1.0 and 1.1 and MD5. Free third-party tools such as IIS Crypto from NARTAC Software can help you configure IIS. Firewalls The term firewall refers to an entity that forms a barrier between a secure and an open environment. You can implement firewalls either in the form of software (for example, Microsoft Windows Firewall), or hardware, or a combination of the two. Typically, firewalls restrict access beyond or between public and private LAN segments. Most often firewall references are to a hardware component that resides on a network. Firewalls can block or filter packets of data, specific applications, or data that is sent by way of specific addresses. Generally, you must configure a firewall to be suitable for a specific purpose and so that it meets the needs of a given security policy. Physical Access Controls For system LAN configurations that are not fully isolated, you should regulate access to the LANs by means of physical access controls. Physical access control includes such things as limited access to facilities, locked rooms, access restriction using smart cards or other access protection media and devices, such as firewalls. You should audit access to secured resources and maintain a history of access. Grant access on an as needed basis to limit system vulnerability. Administrative Access Controls Security policies and procedures are an important part of the site s protection of the system LANs. Education and training, especially of those responsible for making LAN 5

configuration changes, periodic review of access rights, careful hiring practices, and security auditing also contribute to system LAN security. In-depth Defense Security is best established in the form of layered defenses, where no single form of defense is assumed sufficient. The best defense is a set of policies and procedures that include, among other things, security patch management, ongoing security analysis, antivirus protection, and physical and administrative access controls. In addition, effective security includes correctlyconfigured technical controls, such as firewalls, and continuous improvement. As products, features, and threats change, each site needs to adjust to these changes. Security Service Unisys provides a full range of security features within ClearPath systems. However, because of the variety of client-defined configurations and the frequency with which Microsoft and other vendors provide securityrelated changes you might need to take additional steps to meet the requirements of your own security policies. Enterprise security management, including the use of third-party products and unique client configurations, requires additional client considerations. Therefore, beyond the base level of security provided by Unisys, the client must manage the maintenance of security within the data center. Conclusion Unisys installs ClearPath systems with baseline security in place. To maintain this level of security, you need to consider security when connecting anything directly or indirectly to the system LANs. Physical, technical, and administrative access controls all have their place in providing defense for the system LANs. The need for specific security controls, such as virus protection, depends on the kind of access that systems outside the system LANs have to system LAN components. If there is any access at all, even if it is protected by a firewall, then you should employ additional security protection measures. Consider these measures: Software and security updates Security analyzers Antivirus software Spyware removal IIS security Firewalls, routers, and Unisys Stealth Physical access controls Administrative access controls If your complex networking environment raises system LAN security issues that demand more than you can address in-house, you can contract with Unisys security services to provide these security capabilities. 6

For more information, contact your Unisys representative or visit our web site at www.unisys.com. Specifications are subject to change without notice. 2017 Unisys Corporation. All rights reserved. Unisys and other Unisys product and service names mentioned herein, as well as their respective logos, are trademarks or registered trademarks of Unisys Corporation. All other trademarks referenced herein are the property of their respective owners. Printed in the United States of America. 8206 2217-000

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback