S 2.315 Planning the use of servers

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Head of IT, Administrator

A basic prerequisite for being able to safely operate a server is an appropriate degree of advance planning.

The use of a server can be planned in several steps according to the top-down design principle: Based on a basic concept for the overall system, concrete plans are specified for subcomponents in detailed subconcepts. In this, not only do the aspects classically associated with the term "security" need to be planned, but also normal operating aspects entailing requirements in the field of security.

In the basic concept, the following typical questions should usually be addressed, for example:

• What are the tasks the planned system is to fulfil? What services is the server to provide? Are there special requirements regarding the availability of the system or the confidentiality or integrity of the stored or processed data?
  
  These specifications come from comprehensive planning and depend on the general objectives. The more precisely the general conditions are known and the more precisely the specifications are formulated, the easier the following planning steps are.
• Should the system use any specific hardware components? This may be important for selecting the operating system, for example.
• Which requirements for the hardware (CPU, internal memory, hard disk capacities, network capacity, etc.) result from the general requirements?
• Is the network used a homogeneous or heterogeneous computer system?
• Does the system replace an old, existing system? Are databases or hardware components to be taken over from the old system?
• Are further operating systems to be installed on the computer with the help of Multiboot?

The following subconcepts should be considered when planning the use of the server:

• Authentication and user administration: Which types of user administration and user authentication are to be used on the system? Are users only administered locally or is a central administration system to be used? Is the system to access a central, network-based authentication service or is only local authentication required? More information about the aforementioned can be found in S 4.133 Appropriate choice of authentication mechanisms.
• User and group concepts: Based on the organisation-wide user, rights, and roles concept, corresponding rules must be developed for the system (see also S 2.31 Documentation of authorised users and rights profiles and S 2.30 Provisions governing the configuration of users and of user groups).
• Administration: How is the system to be administered? Are all settings performed locally or is the server integrated into central administration and configuration management?

• Partition and file system layout: During the planning phase, an initial estimation of the required disk space should be performed. For easier administration and maintenance, it is recommendable to separate the operating system (system programs and configuration), application programs and data (for example, database servers and date), and possibly user data as far as possible. For this, different operating systems offer different mechanisms (partition in drives under Windows, file systems under Unix). Often it may make sense to even store certain data to a separate hard disk or a separate disk system. For example, this makes it possible to accept the data on the other partitions without copying after having newly installed or updated the system.

• If data with high protection requirements regarding availability is stored on the server, it is absolutely recommendable to use encrypted file systems. In this, it is not absolutely necessary to encrypt all file systems, but it will often be sufficient to encrypt the part of the file system the data is stored on. This is facilitated by correspondingly planning the partition and file system layout. When selecting the encryption of individual files and directories, the users should be relieved of selecting whether the files are stored in an encrypted or unencrypted manner.
  
  In the planning phase, the designed division of the partitions and their size should be documented.
• Network services and network connection: Depending on the requirements regarding confidentiality, integrity, and availability of the data to be stored or processed on the server, the network connection of the server must be planned.
  
  In general, it is recommendable to not locate a server in the same IP subnet as the clients which are to access the server. If the server is separated from the client at least by a router, there are significantly enhanced options for controlling the access and for identifying anomalies in the network traffic indicating possible problems.

• A server storing or processing data characterised by high protection requirements regarding confidentiality or integrity should be located in a separate IP subnet and separated from the rest of the network at least by a packet filter. In the event of very high protection requirements, an application level gateway should be used.
  
  In the event of normal protection requirements, a server only used by clients from the internal network may also be located in the same subnet, as an exception. However, it is recommendable to move the server to a separate subnet in the event of pending conversions in the network structure.

• Depending on the specified purpose of the computer, accessing certain services in the network (for example web, file, database, printing, DNS, or email servers) may be required in addition. This must already be taken into consideration within the framework of planning so that no problems are caused at a later point in time due to insufficient transmission capacities or problems with intermediate security gateways, for example.

• Along with the actual service installed for the server, other services are required in order to be able to efficiently use and administer the server. For example, secure access (for example SSH, see also S 5.64 Secure Shell) is required for administration using the network or the files for a web offer may be transmitted to the web server using the network. If the network communication related to the aforementioned is performed using insecure networks, suitable secure protocols must be used. Furthermore, the services must only be provided by authorised users and computers. This may be implemented by password entry, by using a packet filter (for example, see S 4.238 Use of local packet filters or module S 3.1 Security gateway (firewall)), or other mechanisms. No service should be provided in an insecure network such as the internet, unless this is planned expressly.

• During the planning phase, an overview of the designed and required network services, as well as of the network connections required in this context should be drawn up. In general, it is important to consider the admissible degree of dependency of a system from network connection operation already during the planning phase.
• Tunnel or VPN: If it is already foreseeable during the planning phase that insecure networks must be used to access the system, suitable solutions should be examined in advance. For example, access may be performed using a VPN.
• Monitoring: In order to observe the availability and utilisation of the system and the offered services, a monitoring system can be used. For this, a monitoring daemon is installed on another server, which is provided with the data to be monitored by a locally installed agent. Furthermore, it is possible to monitor the activities of network services offered by external systems. In the event of problems, an administrator may be alerted automatically, for example.

• Logging: The process of logging messages of the system and the services used plays an important role, for example when troubleshooting and repairing malfunctions or detecting and investigating attacks. In the planning phase, the decision as to which information should be logged at a minimum and how long the logged data will be stored should be made. In addition, it must be specified whether the logged data will be stored locally on the system or on a central log server in the network.
  
  It makes sense to already define how and when the data is to be evaluated during the planning phase.
• High-availability: If there are special requirements regarding the availability of the system and its services, how these requirements can be met should already be considered during the planning phase (see also S 6.43 Use of redundant Windows servers).

All decisions made in the planning phase must be documented in such a way that they can be understood at a later point in time. In doing so, it must be observed that usually this information will need to be evaluated by other persons in addition to the author. Therefore, the information must be appropriately organised and easy to understand.

Review questions:

• Is the use of a server planned in advance according to the top down draft principle in general?
• Does a basic concept take into consideration all requirements regarding services, IT security goals, tasks, and functionalities?