ClearPath OS 2200 System LAN Security Overview White paper
Table of Contents Introduction 3 Baseline Security 3 LAN Configurations 4 Security Protection Measures 4 Software and Security Updates 4 Security Analyzers 5 Antivirus Software 5 Spyware Removal 5 IIS Security 5 Firewalls 5 Physical Access Controls 5 Administrative Access Controls 5 In-depth Defense 6 Security Service 6 Conclusion 6 2
Introduction Security in a computing environment is the assurance that data within the environment cannot be accessed or changed without authorization and that the computing environment will continue to provide its intended service without interference from unwanted intrusions. It is by its very nature a careful balance between protection and accessibility. ClearPath OS 2200 servers include controls that allow each client installation to make the tradeoffs that satisfy their security policies while achieving the necessary accessibility. The system LANs connect essential components of the ClearPath server infrastructure, including operations servers and other components inside the physically secured computer center. The AM LAN, IC LAN, IP-LAN, MLAN and FM-LAN are examples of LANs in this category. In this document, the term enterprise LAN means any LAN that might carry business data and might be accessed by a variety of corporate employees and clients. The Operations LAN is the LAN that client administrators and operators use to access the Operations Server. This document focuses on the steps taken by Unisys to make the LANs secure, as well as the actions clients must take to assure that their environment is secure. The Dorado system LAN security policy is an infrastructure security policy that focuses on the steps taken by Unisys to make the LAN secure, as well as the actions customers must take to assure that their environment is secure. Within the ClearPath system LANs, Unisys provides a number of security capabilities, which include: The use of Microsoft Windows authentication and authorization controls. The use of Unisys proprietary authentication authorization controls. Configurations that follow the Secure by default principle However, you must take a number of steps to assure maximum protection. The nature and extent of these steps differ based on how the system LANs are configured. System LAN security is just one part of total system security. It should be part of a comprehensive approach that also includes the following: Isolate applications, workloads, users, and network connections whenever possible. Harden operating systems, virtual machines, and critical infrastructure resources. Use a strategy of defense in depth, with multiple tiers of protection. Encrypt and cloak data in motion. Encrypt sensitive data at rest. A related document, the ClearPath OS 2200 System Security Best Practices (8206 2209), provides high-level security best practices for ClearPath OS 2200 environments. Baseline Security All ClearPath systems are installed with a baseline level of security. You must take additional security steps if the system LANs are not isolated from enterprise or Operations LANs. Baseline security is provided through the configuration of a standard set of hardware and software components. Authentication control limits access to only authorized personnel. The Windows servers on the system LAN use the Microsoft workgroup model, in which user names and group memberships are configured separately on each component. User authentication between these components relies on synchronized user names and passwords. You can use Domain and/or Active Directory security; this implementation requires consideration of the firewall and group membership setup requirements. Unisys establishes and maintains a baseline level of security for all systems and applies changes to the baseline in conjunction with standard system plateau updates. Client-specific input to these baseline updates 3
is limited to the use of site-specific passwords and, in some cases, site-specific user names. Unisys does not explicitly supply Windows security updates; however, product releases contain platform software updates (for example, service packs) as appropriate. All Dorado systems are installed using either a Unisys defined default password, or a client-defined default password that is used repeatedly throughout the installation and setup process. Unisys strongly recommends that you change all passwords set during the installation process to a new set of passwords that complies with your security policies. If this is not done, the passwords used during the installation are retained and are neither private nor secret, nor are they unique across multiple system installations. LAN Configurations System LAN configurations reflect your operational requirements in a variety of ways that might be influenced by system types, technical management choices, and trade-offs between security and convenience of administration. The default and most secure configuration is one in which system LANs are isolated from the enterprise LANs. Unisys strongly recommends keeping system LANs fully isolated from the enterprise LANs to assure that no possibility exists of outside access to the LAN components. In a fully isolated LAN environment, with connections only being made by devices that are determined to be problem free, no need exists for further security protection against external attacks. A system LAN connected to the enterprise LAN through firewalls is less secure. You might choose to use an enterprise LAN connection to provide greater access to operations data from desktop terminals or other devices. However, you must be aware of the potential risks of infection resulting from this form of configuration. The level of security provided by a firewall is extremely dependent on its configuration; therefore, you must configure the firewall to satisfy the site security policies and verify that its configuration is still appropriate after any LAN or security policy updates. Other options include the use of Unisys Stealth or clientsupplied routers that can filter and otherwise restrict access to the maintenance LAN. In a system LAN environment with firewall access to the enterprise LAN, you must take additional security protection measures, such as virus protection; Microsoft software and security updates; and related product updates. Security Protection Measures In addition to the previously mentioned baseline security, you should take some or all of the following steps to provide additional protection. Software and Security Updates Microsoft frequently issues software and securityspecific updates, also referred to as hot fixes or patches. The changes range from modest updates or corrections to more significant areas of change. Given the frequency of change and the fact that the changes are directly made available to clients, Unisys neither tests, verifies, nor regulates the distribution and installation of these changes. Therefore, the responsibility for the application of Microsoft changes must be retained by the client at the site level. Note: Microsoft security fixes could possibly break or restrict a function needed by Unisys operational software. Clients are strongly advised to test these corrections before implementing them in any missioncritical application. Unisys routinely tests distributed service packs and formalized product update levels but has no policy of testing all interim product updates. System security depends on client installation and configuration options. Therefore, you should establish security procedures that address concerns defined in your own security policies. Unisys recommends that you apply critical updates to system LAN components. You should only apply noncritical updates, driver updates, and Service Packs when you are directed to do so by Unisys. Unisys provides specific guidance with regard to the application of updates in Technical Information Bulletins (TIBs). 4
Security Analyzers Security analyzers detect security vulnerabilities within computing systems. For example, Microsoft Baseline Security Analyzer (MBSA) is a free, downloadable security product that provides a streamlined method of identifying missing security updates and common security misconfigurations on systems running the Microsoft Windows operating system, Vulnerability scanners available from several vendors can analyze the potential of attacks through network ports and recommend remediation steps. Unisys uses an external vulnerability scanner on the OS 2200 system configuration before releasing software updates to verify that the system delivered with standard settings has only the required ports open. Antivirus Software Different types of computer viruses require different means of detection and correction. Similarly, antivirus software uses a variety of protection techniques and algorithms. These products have similar goals: identifying, isolating, and removing computer viruses. You should choose an antivirus product that best meets the requirements of your security policy. Unisys runs antivirus software on their computing systems, personal computers, and workstations, as well as security agent software and other intrusion detection software. If the system LANs are not isolated, you should install antivirus software throughout the system LANs and on any enterprise LAN components that could potentially access the system LANs. These components include at least the Service Processors, Operations Servers, Operations Workstations, and optional NTP server. You must update antivirus definition files on a regular basis to ensure that the software addresses currently identified viruses. Spyware Removal Unisys recommends against the use of web browsers to access the Internet from the Service Processor or Operations Servers. Using a browser might result in infection from a variety of malware, including spyware, adware, cookies, and associated tracking software. A number of vendors offer special purpose antispyware software that identifies and removes tracking software. If these are used, sites must comply with the provider s licensing guidelines. For example, some of these tools are free for private use but require paid licenses for commercial use. IIS Security Microsoft Internet Information Server (IIS) is the web server that supports web-based management on the Service Processors and Operations Servers. To protect traffic to and from the server, disable weak, unneeded cryptography protocols, such as SSL 2.0 and 3.0, TLS 1.0 and 1.1 and MD5. Free third-party tools such as IIS Crypto from NARTAC Software can help you configure IIS. Firewalls The term firewall refers to an entity that forms a barrier between a secure and an open environment. You can implement firewalls either in the form of software (for example, Microsoft Windows Firewall), or hardware, or a combination of the two. Typically, firewalls restrict access beyond or between public and private LAN segments. Most often firewall references are to a hardware component that resides on a network. Firewalls can block or filter packets of data, specific applications, or data that is sent by way of specific addresses. Generally, you must configure a firewall to be suitable for a specific purpose and so that it meets the needs of a given security policy. Physical Access Controls For system LAN configurations that are not fully isolated, you should regulate access to the LANs by means of physical access controls. Physical access control includes such things as limited access to facilities, locked rooms, access restriction using smart cards or other access protection media and devices, such as firewalls. You should audit access to secured resources and maintain a history of access. Grant access on an as needed basis to limit system vulnerability. Administrative Access Controls Security policies and procedures are an important part of the site s protection of the system LANs. Education and training, especially of those responsible for making LAN 5
configuration changes, periodic review of access rights, careful hiring practices, and security auditing also contribute to system LAN security. In-depth Defense Security is best established in the form of layered defenses, where no single form of defense is assumed sufficient. The best defense is a set of policies and procedures that include, among other things, security patch management, ongoing security analysis, antivirus protection, and physical and administrative access controls. In addition, effective security includes correctlyconfigured technical controls, such as firewalls, and continuous improvement. As products, features, and threats change, each site needs to adjust to these changes. Security Service Unisys provides a full range of security features within ClearPath systems. However, because of the variety of client-defined configurations and the frequency with which Microsoft and other vendors provide securityrelated changes you might need to take additional steps to meet the requirements of your own security policies. Enterprise security management, including the use of third-party products and unique client configurations, requires additional client considerations. Therefore, beyond the base level of security provided by Unisys, the client must manage the maintenance of security within the data center. Conclusion Unisys installs ClearPath systems with baseline security in place. To maintain this level of security, you need to consider security when connecting anything directly or indirectly to the system LANs. Physical, technical, and administrative access controls all have their place in providing defense for the system LANs. The need for specific security controls, such as virus protection, depends on the kind of access that systems outside the system LANs have to system LAN components. If there is any access at all, even if it is protected by a firewall, then you should employ additional security protection measures. Consider these measures: Software and security updates Security analyzers Antivirus software Spyware removal IIS security Firewalls, routers, and Unisys Stealth Physical access controls Administrative access controls If your complex networking environment raises system LAN security issues that demand more than you can address in-house, you can contract with Unisys security services to provide these security capabilities. 6
For more information, contact your Unisys representative or visit our web site at www.unisys.com. Specifications are subject to change without notice. 2017 Unisys Corporation. All rights reserved. Unisys and other Unisys product and service names mentioned herein, as well as their respective logos, are trademarks or registered trademarks of Unisys Corporation. All other trademarks referenced herein are the property of their respective owners. Printed in the United States of America. 8206 2217-000