Guide to Operating System Security
Download
Report
Transcript Guide to Operating System Security
Guide to Operating
System Security
Chapter 11
Security through Disaster
Recovery
Objectives
Deploy UPS systems
Create hardware redundancy and apply faulttolerance options
Deploy RAID
Back up data and operating system files
Guide to Operating System Security
2
Uninterruptible Power Supply
Best fault-tolerance method to prevent power
problems from causing data loss and
component damage
Provides immediate battery power to
equipment during unexpected power loss
Protects against lost data and downtime
Guide to Operating System Security
3
Uninterruptible Power Supply
Guide to Operating System Security
4
Selecting and Deploying a UPS
(Continued)
Online (inline)
Powered directly from batteries
More guaranteed protection
Offline (standby)
Switches to batteries when reduction in city power
is detected
Less expensive
Batteries can last longer, but may not switch to
battery in time for full protection
Guide to Operating System Security
5
Selecting and Deploying a UPS
(Continued)
Provides power for limited time period
Usually guards against power surges
Can communicate information to computers it
supports
Requires periodic testing to ensure it is
working
Guide to Operating System Security
6
Configuring a UPS in
Windows 2000/XP/2003
All support serial and USB communications
with a UPS
Guide to Operating System Security
7
Configuring a UPS in
Red Hat Linux
Supported by Red Hat Linux 9.x
Obtain UPS serial or USB communications
software from manufacturer
Use configuration software provided by UPS
manufacturer
Guide to Operating System Security
8
Configuring a UPS in
NetWare 6.x
Communicates through serial port connection
and employment of AIOCOMX and UPS_AIO
NLMs
Guide to Operating System Security
9
UPS_AIO Configuration Options
(Continued)
Option
Description
msgdelay=seconds
Configured in seconds, time to wait until a message
is sent to all users that power is out (default - 5
seconds)
msginterval=seconds
Configured in seconds, interval between multiple
warning messages sent to all users (default - 30
seconds; minimum interval - 20 seconds)
path
Location of UPS_AIO NLM if it is not in the
SYS:SYSTEM directory
downtime=seconds
Configured in seconds, amount of time to wait on
battery power (while main power is out) until
automatically shutting down
port=portnumber
Number of the port to which UPS is attached, such
as serial port 1(port=1)
Guide to Operating System Security
10
UPS_AIO Configuration Options
(Continued)
Option
Description
signal_high
Specifies that signal sent from UPS is a high signaling
value (most UPSs employ a low signal; this option is not
typically used; consult UPS manual)
drivertype=value
Driver loaded to enable UPS communications (AIOCOMX is
1; check documentation for the value associated with a
specialized driver accompanying UPS)
board=value
Value used with a specialized communications board
provided with UPS (consult UPS documentation)
?
Displays brief description of options used with UPS_AIO
NLM (options are not displayed in the graphic—GUI—
mode; press Alt+Esc after entering the command to see
description; press Alt+Esc repeatedly; click forward arrow to
return to graphic mode)
Guide to Operating System Security
11
Configuring a UPS in
Mac OS X
Obtain UPS serial or USB communications
software from manufacturer
Guide to Operating System Security
12
Creating Hardware Redundancy
and Fault Tolerance
Hardware redundancy includes
Using redundant components
Employing multiprocessor systems
Clustering services
Placing servers in different locations
Implementing data warehousing
Guide to Operating System Security
13
Using Redundant Components
Network interface cards (NICs)
Power supplies
Guide to Operating System Security
14
Using Redundant NICs
Designed to match particular network transport
methods, computer bus types, network media
Network connection requirements:
Appropriate connector for network medium
Transceiver
MAC controller
Protocol control firmware
Guide to Operating System Security
15
Considerations When Using
Redundant NICs
Fast speed (up to 100 Mbps for a workstation)
Match network transport method
Support both full-duplex and half-duplex
transmissions
Brand-name, high-quality NICs
Latest driver and protocol control firmware
Guide to Operating System Security
16
Using Redundant Power
Supplies
Can take over if main power supply fails
Consider for the following:
SMTP mail servers
Servers that authenticate users to a network
Web servers
Database servers
Guide to Operating System Security
17
Employing Multiprocessor
Systems
Symmetric multiprocessor (SMP) computers
Two or more computers share the processing load
If one stops working, remaining processors take
over
Make sure you understand the specific
requirements for adding CPUs to your OS
Guide to Operating System Security
18
Clustering Servers
Links multiple computers and their resources
Two models
Shared disk model
Shared nothing model
Guide to Operating System Security
19
Clustering Servers
Guide to Operating System Security
20
Shared Nothing Clustering
Model
Main connection
Backup connection is case of server failure
Main connection
Figure 11-3 Shared nothing clustering model
Guide to Operating System Security
21
Placing Servers in Different
Locations
Microsoft distributed file system (DFS)
Available in Windows 2000 Server/Server 2003
Provides fault tolerance by placing copies of the
same folders on computers in different locations
•
Folders appear to exist in one centralized hierarchy of
folders
Has many advantages
Guide to Operating System Security
22
Implementing Data
Warehousing
Duplicating a main database’s data, typically
on another computer
Often created for queries and reporting and to
provide backup of the main database
Guide to Operating System Security
23
Fault-Tolerance Options
Disk mirroring
Disk duplexing
Redundant array of inexpensive (or
independent) disks (RAID)
Guide to Operating System Security
24
Disk Mirroring
Guide to Operating System Security
25
Disk Duplexing
Guide to Operating System Security
26
Using RAID
Set of standards for lengthening disk life and
preventing data loss
Goal: to spread disk activity equally across all
volumes
Guide to Operating System Security
27
Essential RAID levels
RAID level 0 (striping)
RAID level 1 (mirroring and duplexing)
RAID level 2
RAID level 3
RAID level 4
RAID level 5 (striping combined with error
correction and checksum verification)
Guide to Operating System Security
28
RAID Support in Windows 2000
Server/Server 2003
Support only RAID levels 0, 1, and 5 for disk
fault tolerance
Levels 1 and 5 recommended
Recognize two types of disks
Basic
Dynamic
Guide to Operating System Security
29
RAID Support in Windows 2000
Server/Server 2003 (Continued)
Configuration considerations
Boot and system files can be placed on RAID level
1, but not on RAID level 5
RAID level 1 uses two hard disks; RAID level 5
uses from 3 to 32
RAID level 1 is more expensive to implement than
RAID level 5
Guide to Operating System Security
30
RAID Support in Windows 2000
Server/Server 2003 (Continued)
Configuration considerations
RAID level 5 requires more memory than RAID
level 1
Disk read access is faster than write access in
RAID level 1 and RAID level 5
RAID level 5 has much faster read access than
RAID level 1
Guide to Operating System Security
31
Creating a RAID Volume in
Windows 2000 Server/Server 2003
Guide to Operating System Security
32
RAID Support in
Red Hat Linux 9.x
Supports RAID levels 0, 1, and 5
Configured at installation when using GUI
installation mode
First install all disks and associated hardware
Plan for the number of spare partitions
Choose Disk Druid from Disk Partitioning
Setup screen
Guide to Operating System Security
33
RAID Support in NetWare 6.x
Supports RAID levels 0, 1, and 5
Can manage RAID using Novell Storage
Services (NSS) tools from ConsoleOne
NetWare 6.5 offers iManage, a browser tool
for managing objects
Guide to Operating System Security
34
RAID Support in Mac OS X
Supports RAID levels 0 (striping) and 1
(mirroring)
Apple recommends not placing boot files on
RAID disks
Guide to Operating System Security
35
Software RAID versus
Hardware RAID
Software RAID
Implements fault tolerance through computer’s
operating system
Hardware RAID
Implemented through RAID hardware (eg,
adapter)
Independent of operating system
More expensive than software RAID
Guide to Operating System Security
36
Advantages of Hardware RAID
Faster read and write response
Ability to place boot and system files on
different RAID levels
Ability to “hot swap” a failed disk with one
that works or is new
More setup options to retrieve damaged data
and to combine different RAID levels within
one array of disks
Guide to Operating System Security
37
Backing Up Data
Binary backup
Full file-by-file backup
Partial backups
Differential
Incremental
Guide to Operating System Security
38
Advantages of Local Backups
over Remote Backups
No extra load on network
Enable backups on multiple computer network
Provide more assurance that the Registry is
backed up (Windows 2000/XP/2003)
Attacker using a sniffer cannot intercept
backup traffic over a network
Guide to Operating System Security
39
Tape Rotation
Ensures alternatives in case there is a bad or
worn tape
Tower of Hanoi procedure
Guide to Operating System Security
40
Tape Rotation
Guide to Operating System Security
41
Windows 2000/XP/2003
Backups
Normal
Incremental
Differential
Copy
Daily
Guide to Operating System Security
42
Backup Options
Guide to Operating System Security
43
UNIX and Red Hat Linux
Backup Tools
volcopy (not available in Red Hat Linux)
Sometimes used with labelit utility
Sometimes tar utility is used
dump
Commands used to restore
•
•
•
restore (Red Hat Linux)
ufsrestore
restor
Guide to Operating System Security
44
NetWare 6.x Backup Options
Uses Storage Management System (SMS)
NLMs are loaded at Server Console prior to
starting backup – TSAs designed to read and
back up specific types of data
Guide to Operating System Security
45
Target Service Agents (TSAs)
TSA600 for NetWare 6.x
TSANDS to back up NDS database and
eDirectory
GWTSA for GroupWise information
Windows NT TSA to back up Windows NT,
2000, and XP data
W95TSA to back up Windows 95/98 data
Guide to Operating System Security
46
Starting a backup in Netware 6.0
Guide to Operating System Security
47
Choosing What to Backup in
Netware 6.0
Guide to Operating System Security
48
NetWare 6.x Backup Options
Guide to Operating System Security
49
Mac OS X
Supports use of dump and tar
From the terminal window, or
Obtain a third-party utility that uses these utilities
for backup
Can also use Copy utility on Edit menu
Guide to Operating System Security
50
Summary (Continued)
Using disaster recovery techniques to:
Secure operating systems
Prevent data loss
Reduce downtime
Selecting and deploying a UPS to prevent
power interruptions
Guide to Operating System Security
51
Summary (Continued)
Using redundant hardware components and
implementing RAID for secure data storage
Backing up data and operating system files to
minimize loss in the event of computer failure
Guide to Operating System Security
52