Network security is vital but for the sheer chaos that can result if an area is violated, the data centre and server farms must be close to the top of the list in terms of the protection they require.
There are certain aspects of network design that are specific to server farm LAN design. (see ‘Building a resilient server farm’). But once it’s built, how do you keep it safe?
There are several threats that you need to worry about. These range from unauthorised physical access to your comms room, to email-attached viruses, to the failure of a line card in a switch.
The latter you obviously cater for with good design and inbuilt redundancy. And in fact there’s no excuse not to deal with the others that way too.
Password control is an issue everywhere, but especially for the servers that hold your mission-critical data, and the network devices that provide access to them. How many people really need administrator (or any other) rights to the servers? Do you have AAA set up for access to your switches and routers?
Ideally, to allow central control for scalability and manageability you should use a RADIUS or TACACS server for device password control. If you have a Cisco-based network, typically it’ll be a TACACS setup — TACACS is actually more secure than RADIUS in that it encrypts the whole packet in an access-request transaction, whereas RADIUS only encrypts the password, leaving the username, for example, in clear text. RADIUS also uses UDP, while TACACS uses TCP. But then RADIUS is a completely open standard, whereas TACACS is a Cisco invention.
If someone does get onto your network, they will often attempt a scanning operation in preparation for starting a full-blown attack. Identifying and stopping these will often deter any further malicious activity. Firewalls and properly set-up Intrusion detection devices can quickly spot and terminate such attacks.
IP Spoofing and Denial of Service attacks are determined efforts to break your network. As a minimum you should have access lists configured to prevent RFC1918 IP addresses from entering your network. Unicast Reverse Path Forwarding (RPF) ensures that traffic entering your server farm LANs does so via the expected interfaces, which in turn will reduce the chances of DoS attacks.
You can use Quality of Service features too to mitigate against DoS attacks, using the likes of CAR (committed access rate) settings to limit the dreaded ‘ping of death’ effect on your servers.
You must keep viruses and worms off your servers. With the rise of Nimda, Slammer and the rest, the amount of downtime companies have suffered over the past twelve months due to server infections is worrisome. Yet the applications to prevent these are available. Host intrusion detection software is generally deemed too expensive or difficult to manage to deploy on all your PCs, but there’s no excuse for not rolling it out to your relatively small server population.
Similar to your general campus networks, the server farm is equally at risk from Layer 2 attacks, such as MAC flooding, ARP spoofing, and Spanning Tree vulnerabilities. But in a way it is easier to protect against some of these. With smaller numbers of end stations — and ones that don’t move about too much, hopefully — it’s more realistic to configure port security mechanisms that only allow a specific MAC address on a port, for instance, or set static arp entries. What you may lose in flexibility can be outweighed by the reduction in risk — and in any case, it is to be hoped that things don’t change so much in your server environment as your normal desktop LANs, so the flexibility isn’t required so much.
Make sure you set up your switches in a deterministic way as far as Spanning Tree root bridge placement goes and configure security so that no other device on the network can — by accident or otherwise — take over that role unwanted.