We also need to consider securing the servers. Today's campus servers are physical hardware which hosts many virtual machines. These virtual machines sitting on the host hardware are the most common and most inexpensive way of scaling a core server infrastructure for a campus. The days of one server occupying physical hardware platform are long gone. So let's look at the physical hardware first. The physical hardware will have LAN interfaces with VLANs usually trunked to a firewall for filtering. The physical hardware will also have a management interface for managing the parent O.S. and it will also have an IPMI interface for accessing the BIOS of the physical hardware. And this is for operating system installation and for basic maintenance. If you look in the back of these physical servers you see these different interfaces and they'll be documented and labeled as such. All of them need to be protected from the wider population. The IPMI interface is of special significance because it gives the administrator access to the BIOS. The last thing any administrator wants is for the general user to get access to the BIOS and reset the entire physical hardware. So let's look at the physical hardware in detail. LAN interfaces are used for connecting hosted virtual machines to the campus infrastructure. We'll look at the security of these VMs in the next slide. The management interface is for the management of the parent operating system. The parent operating system will host the virtual machines within it. Security, probably a dedicated management VLAN firewalls from the campus network. The IPMI interface is for last resort BIOS access. The security for this is a dedicated LAN ideally isolated from the campus network or if that's not possible use some other out-of-band access, for example serial console rather than the IPMI itself. So let's look at the virtual machines. We have a physical LAN interface connecting to the outside world and this LAN is usually delivered as a VLAN trunk with the physical hosting hardware. Firewalls play a very important role in protecting these VMs. Most operating systems used on the VMs have built-in firewalls. These must be used, too. So your physical firewall is not a replacement for the built-in firewalls -- use both filters. Allow access to the servers being hosted only for example a web server filter would only allow http and https access. And you need ssh from the campus NOC and maybe the content owner for management and update access and of course this will be in addition to DNS queries made by the web server. Don't forget that you must allow ICMP in and out as well. So here's an iptables example on the slide for securing servers. Uou can use your own favorite firewall on your physical server. We're using iptables because it has a long history and is generally quite well known to campus system administrators. The iptables example allows all of ICMP. We really don't want to block ICMP at all. We've discussed elsewhere in this series about rate limiting ICMP but blocking our ICMP will cause serious detriment to the performance and functionality of the network. The iptables example also allows all established TCP sessions. What this means is any TCP session originated by the virtual machine will make an outbound connection established allows the responses for these outbound connections to come back. We're also allowing in that list the NOC ssh access. We're allowing generic port 80 and port 443 access and then we're allowing SNMP access from the network monitoring system. All other traffic is blocked and we block it by sending an ICMP host prohibited message. So this is one example from a working system setup that we can use for protecting our VM sitting on our campus server infrastructure.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.