Skip to content
This repository was archived by the owner on Jan 11, 2023. It is now read-only.

Current Architecture Security Guidelines and Practices

Jump to bottom
Sena Heydari edited this page Feb 15, 2016 · 1 revision
Current Security Best Practices
  • Enterprise Class (OPN Sense) firewall monitors all ingress and egress network traffic.
  • IPS/IDS (Suricata) software monitors all network activity and is regularly reviewed.
  • VPN access required for remote access to virtual server.
  • SSH Access requires Public Key + 2 Factor Auth (via Google Authenticator PAM module), as well as VPN connection.
  • Each researcher virtual machine has its own dedicated IP space that is not routable to any other virtual machine.
  • LAN network traffic monitored and strictly restricted to allow only necessary routes and ports by firewall.
  • Combination of IP Tables and /etc/hosts.allow & /etc/hosts.deny used to lockdown individual virtual machine network traffic as well as network services available.
  • No direct database server access from any remote location, via VPN or other mechanism. Database server software also configured to not listen on any publicly accessible network port.
  • Each physical server partition is encrypted. All swap partitions are encrypted as well. Each virtual machine disk image is encrypted with a separate secure password.
  • All physical server and switch extraneous ports (e.g. Serial, USB, iLOM) are disabled in the BIOS. BIOS is also password protected.
  • Network ACL's are utilized to further restrict network port traffic and each physical port is configured to only route traffic of designated VLAN (e.g. one for VM level SSH traffic, another for DB access).
  • All management port access and functionality requires physical access to servers.
  • Sudo and root level access is strictly controlled to key individuals. No researcher is allowed elevated privileges on their machine.
  • Daily automated compliance/configuration management software is run to ensure consistency of entire environment.
  • Frequent (minimum weekly) server and software patching downtimes to ensure latest available upgrades to all system components.
  • Centralized log aggregation (using ELK stack) of all secure system logs for auditing and monitoring purposes.

Clone this wiki locally