Should core system servers be able to connect to the internet for maintenance/support?

Question

A couple of our servers have Oracle maintenance licenses. Our hardware vendor asked there was internet connection in the server room. Our policy is that all machines in that room is isolated from the internet for security reasons. But the maintenance guy asked "then how are we going to be able to do maintenance work on your servers?"

My question is, do our servers need internet connection in order for the maintenance to be carried out like a license verification system. Or can he do it offline? Isn't it a risk in itself if there was an internet connection to our production server?

Wow, really good question! +1 – l0c0b0x Aug 24 '09 at 07:25 — l0c0b0x, Aug 24 '09 at 07:25

score 12 · Answer 1 · answered Aug 24 '09 at 07:54

12

Your servers are connected to a network which has other devices with Internet access. Correct? I'm sure others will disagree but I believe the security afforded by not allowing those servers direct Internet access is more illusory than anything else.

answered Aug 24 '09 at 07:54

John Gardeniers

27,262
12
53
108

7

+1 - Unless there's actually an air-gap between the "core" and the rest of the network (which would seem to defeat the purpose of having a network in the first place) the "core" *is* "connected to the Internet". Such a connecection should be arbitrated by firewalls, access lists, etc, but it *IS* "connected to the Internet". Having said that, the real discussion here needs to be about arbitrating access to those servers and the mechanisms used and rules-of-thumb associated with configuring those mechanisms. – Evan Anderson Aug 24 '09 at 14:35
Nice answer :-) – M.N Aug 24 '09 at 15:26
3

The company is paranoid about security. As a matter of fact, there is an actual physical gap between the core network and the rest of the office. Machines in the core network is ridiculously disconnected to the internet. Some people even have 2 computers their desks; 1 for regular use, the other with a connection to the core system. – Ludwi Aug 25 '09 at 01:42

score 9 · Accepted Answer · answered Aug 24 '09 at 07:49

You would generally need to download patches from the internet then apply them to the server. However it is reasonable to have an intermediate step of copying the patches to an intermediate location (even a DVD) to go between the internet and the database servers.

If they just want a separate machine in the server room that can connect to the internet (eg for reading patch notes), that's another option.

Finally, there's a difference between having a browser running on the server that can connect to the internet and having the server actually accessible as a server from the internet.

It all depends on how secure you want/need to be.

M.N · Answer 3 · 2009-08-24T14:20:01.647

3

You can always use iptables to configure exact source/destination IP:Port pairs that you wish to keep open.

That way, even when the server is explosed over the WAN, you may ensure that only trusted IPs + correct credentials will gain access to it.

Moreover you can use a private-public ssh key pair as well, which can be shared only amongst the two of you.

edited Aug 24 '09 at 14:20

answered Aug 24 '09 at 07:52

M.N

337
3
7
15

score 3 · Answer 4 · answered Aug 24 '09 at 11:02

3

We do a lot of maintenance on customers servers that have no access to the internet. We have to take all of the updates/patches/software we need for that visit on CD / USB Stick. (Allowing 3rd parties to bring in USB sticks/CDs is a security risk in it's own)

answered Aug 24 '09 at 11:02

Simon Hodgson

681
3
8
15

Noted! This is why we do offline scans of the 3rd party media before we allow them to be plugged into the core environment. – Ludwi Aug 25 '09 at 01:53

score 2 · Answer 5 · answered Aug 24 '09 at 08:54

All your servers should be either in a DMZ or at least behind a firewall. Just about any firewall can be configured to allow outgoing connections from any of these servers (so that they can check for and download security patches and other updates on their own). And then it's up to your system admins to configure the firewall such that a few, very specific ingoing connections are allowed. If they are only needed for occasional maintenance, they can be disabled once the maintenance is finished.

We use linux gateways for this job, with iptables for the firewall. However, your standard hardware firewalls will do exactly the same.

score 2 · Answer 6 · answered Aug 28 '09 at 19:44

The question is - Is there a risk in allowing production servers to have HTTP/S connections outbound to the Internet. The short answer is NO. The longer answer that the security risk is so minimal that it outweighs the cost (in terms of time) to manage those servers.

Consider the risks of allowing access:

An administrator downloads malicious software from the Internet on to the server
A compromised server downloads additional virus code or uploads confidential information to the Internet

The first point it mitigated by restricting Internet access to known sites, and ideally not allowing web browsing at all. Additionally, there is a certain trust in your administrators to not act in a malicious manner.

On the second point, considering that the server was already compromised in some fashion, whether or not Internet access is available is a moot point. The attacker has already found a way to get code on to your systems which means they can get additional code to that system or retrieve data from it.

Obviously, this may all depend on specific circumstances (like meeting certain customer or regulatory requirements).

score 0 · Answer 7 · answered Aug 24 '09 at 08:59

0

What type of connection do those servers need?

If it is only an HTTP connection to Oracle website, why don't you make them use web-proxies?

answered Aug 24 '09 at 08:59

Benoit

3,499
1
18
17

score 0 · Answer 8 · answered Aug 24 '09 at 11:04

0

VPN access is your best bet !

answered Aug 24 '09 at 11:04

Antoine Benkemoun

7,314
3
41
60

score 0 · Answer 9 · answered Aug 25 '09 at 09:53

answer #1 is the best in theory terms - network's security level is equal to the security level of the weakest computer connected to that network

a hands on approach would be, in my point of view:

internal network split in dot1q subnets
linux gateway --> all traffic between subnets passes through it and it can be controlled easily (and actually is, with access to core servers only for needed application ports and clients)
outside connection made only via encrypted vpn (pptp with mschap or openvpn)
core servers have acces to the internet only on a "need to" basis (maintenante, download upgrades, etc) - also acces to them is contrilled via the gateway - with a DROP policy

score -4 · Answer 10 · answered Aug 24 '09 at 08:14

-4

Even If you allow internet connection for some of servers let they use OpenDNS as their DNS server.

answered Aug 24 '09 at 08:14

adopilot

1,501
6
25
40

2

WTF? How is this at all relevant? – ceejayoz Aug 24 '09 at 14:12
@ceejayoz acording to this http://serverfault.com/questions/6569/conficker-should-steps-taken-in-group-policy-to-secure-against-virus-remain/18955#18955 – adopilot Aug 24 '09 at 21:17
Shouldnt they use the internal DNS servers who might in turn use openDNS servers? That way you dont have to assign all connections between you core servers with IP adresses, and can use DNS names instead. – MrTimpi Aug 25 '09 at 10:33
Yes If they have internal DNS – adopilot Aug 25 '09 at 12:53

Should core system servers be able to connect to the internet for maintenance/support?

10 Answers10