S 4.97 One service per server

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Many weaknesses in IT systems cannot be exploited by a potential attacker individually. Often, only the combination of weaknesses allows for successful infiltration of a computer. Depending on the threat situation and the protection requirements of the services, it may therefore be appropriate to operate only one service on one computer. This applies above all to servers which also offer services on the internet or other third party networks.

For example, the level of security may be increased by operating both the web server and the email server on independent, dedicated computers designed as minimal systems (see also S 4.95 Minimal operating system).

Furthermore, individual servers also differ regarding their security categories. Successful infiltration into a web server may be very annoying, particularly if the attacker changes the externally available websites. However, the attacker is normally not provided with any access to confidential information. If the web server is also the email server, however, the attacker may read the entire email correspondence, which may have significantly worse effects.

The division can even be reinforced by distributing different tasks of one service to different computers. For example, there could be an email server A receiving emails from the internet and forwarding these to the internal network and another email server B forwarding emails from the internal network to the internet. Since communications can only be established with the email server A from the internet, the attacker is only able to directly attack this server. Email server A is not allowed to send any emails to the internet, which is why this computer cannot be misused for email spamming.

Distributing different services to different computers provides the following advantages, amongst others:

• easier configuration of the individual computers
• simpler and more secure configuration of an upstream packet filter
• increased resistance against attacks
• increased failure safety

With the help of appropriate central system management, the additional administration efforts caused by the higher number of computers can be limited.

Virtualisation

In the event of security-critical services, only one service is to be operated per virtual IT system too, just like for physical systems. However, a virtual IT system itself is not a "service" of a virtualisation server in this sense. Therefore, several virtual IT systems can be operated on one virtualisation server. Depending on the virtualisation technology (server or operating system virtualisation) the virtualisation server is based on, the variance of the services provided by the virtual IT systems may be limited, however. Whether the virtualisation product used is suitable for providing different services in virtual IT systems on one virtualisation server must be checked for the specific product. For this, the criteria include the levels of isolation and encapsulation of the IT systems on the virtualisation server (see S 3.72 Basic terminology of virtualisation technology). The more the virtual IT systems are isolated on the virtualisation server, the better suited the virtualisation product is for operating different services in the different virtual IT systems. The following basic principles can be used for initial evaluation:

• On virtualisation servers with one operating system virtualisation solution, as a rule only virtual IT systems with the same function should be provided. For example, only web servers or only email servers should be operated on such a virtualisation server, but no mixture of these groups. For some products for operating system virtualisation, the isolation of the virtual IT systems is strong enough to deviate from this specification, however.
• On virtualisation servers with one server virtualisation solution, it is mostly admissible to operate virtual IT systems with different services. Therefore, web server and email server can be provided jointly on one virtualisation server in virtual IT systems separated in each case.

On a virtualisation server itself, no further services should be operated in addition to the virtualisation software and the related services (administration service for the virtualisation, etc.).

Review questions:

• Is it ensured that only one service is offered per server?