NonStop security

hardening overview
Wendy Bartlett, HPE

17 November 2015
Agenda
Planning
Execution
Monitoring
Planning

3
Getting started

Decide what you want to accomplish

Think about risk management, not just compliance
Keeping your auditors happy shouldnt be the end goal
Establish requirements
Gather information sources
Develop a security hardening implementation approach
Evaluate your policies / practices and system configuration
Identify gaps
Prioritize youre unlikely to want or be able to implement everything at one time
Build a detailed plan

4
Getting started
Information sources
Internal
Corporate/departmental policies and practices
Current configurations
Reports from your auditors, including vulnerability scan issues
External
Existing and upcoming regulations and guidance (PCI DSS, NIST cipher suite deprecation timetables, )
Web security articles from trusted sources
From HPE and partners
NonStop hardening guide (in the manuals collection)
Appropriate product manuals
Security compliance and monitoring products (e.g., XYGATE Compliance Pro)
White papers
Other sources XYPRO books,

5
Phased hardening approach example
User and access control
Level 0 Guardian security vectors, OSS file/directory permissions
Level 1 Basic Safeguard configuration including user management, required security administration
groups, coarse-grained Safeguard and OSS Access Control Lists (ACLs)
Level 2 Safeguard granular OBJECTTYPE controls, more granular ACLs, enhanced user management
(XUA or partner product)
Level 3 Access management (XAC or partner product)
Level 4 Partner authorization (Guardian and OSS) SEEP, partner password quality SEEP

6
Phased hardening approach example
Data protection
Data in Motion
Level 1 SSH/SFTP, SSL/TLS, IPSec [firewalls, other controls?]
Data at Rest
Level 1 selective CLEARONPURGE, disk sanitization, tape encryption
Level 2 disk volume-level encryption
Level 3 Application or intercept-based field-level encryption or tokenization

7
Phased hardening approach example
Audit, monitoring and compliance
Level 1 XYGATE Merged Audit (XMA) with local basic reporting
Level 2 XYGATE Compliance PRO (XSW) basic monitoring, XMA export to enterprise Security Incident
Event Management (SIEM) and/or customization
Level 3 XSW customization

8
Execution

9
Initial hardening for new systems
And maybe for existing systems
Configure Safeguards settings to conform with your policies, including appropriate audit
Add users as needed
Establish and populate Safeguard security management groups
Change default passwords
Populate product-level security management groups as needed, e.g. Software Essentials or DSM/SCM
and SQL/MX
License or set PRIV LOGON for program files where needed
Identify and appropriately secure remote access points
Set up xxxxLOCL files (TACLLOCL etc.)

If present, configure:
XYGATE User Authentication
XYGATE Access Control
XYGATE Compliance PRO

10
Initial hardening for new systems
And maybe for existing systems
Consider changing default passwords for underlying system components:
CLIM: root
CLIM: user
NSC: Administrator
Integrated Lights Out (iLO): Admin
Onboard Administrator (OA): Administrator

Caution: If you do change these passwords, ensure that you have a reliable process for communicating
them to your HPE service providers when needed

11
Initial system hardening
DSM/SCM and NonStop Software Essentials
Assign appropriate users to the planner, operator and database administrator roles
Configure whether Safeguard is required to be running whenever DSM/SCM places files (yes)
Configure ownership and security for new files
Replacement files assume the existing files security attributes
Check the notes in the hardening guide for additional considerations

12
Initial system hardening
SQL/MX (3.1 and later releases)
SQL/MX security administrators are a class of users that can administer database object security without
being explicitly GRANTED access to the objects (WITH GRANT OPTION).
Initially, the set of security administrators is empty.
SUPER.SUPER is required to designate an initial security administrator.
GRANT/REVOKE SECURITY_ADMIN
When the set of security administrators is nonempty, only a security administrator may designate
additional security administrators.
Unless explicitly designated as a security administrator, SUPER.SUPER loses super GRANT/REVOKE
privileges if the set of security administrators is nonempty.

13
Initial system hardening
License or set PRIV LOGON for program files where needed
HPE products
Partner products
Applications

14
Initial system hardening
Identify and appropriately secure remote access points
TCP/IP
Use iptables / ip6tables in IP CLIMs to close unneeded ports
SSH / SFTP
iTP WebServer

15
User configuration

16
User management
What is your model and how will you implement it?
User and group types
SUPER.SUPER
Other functional users
Other SUPER group users (SUPER.notsuper)
Administrative group managers
Individual users
User aliases
Administrative groups
Security groups
File-sharing groups

User management lifecycle

Creation
Password management
Authentication options
Deletion

17
Authentication
What do your corporate policies require?
Appropriate method(s):
Safeguard (local password)
Multi-factor
LDAP or other enterprise integration
Single sign-on
Safeguard vs. subsystem users (iTP WebServer, SSH)
Application-level users

18
Data protection
Access control
Data in transit
Data at rest

19
Access control
Who can do what?
Guardian security
Safeguard ACLs
OSS permissions
OSS ACLs
Additional controls (XYGATE Access Control or partner SEEP)
Subsystem-level configuration (SSH, SSL, )

20
Data in transit
How do you protect it?
SSH / SFTP
SSL / TLS
IPSec (CLIM)

Routine encryption/tokenization of sensitive data

21
Data at rest
How do you protect it?
Application-level tokenization or encryption
Built in
Transparent
Media encryption
Disk
Virtual tape
Physical tape

22
Remote system access
TCP/IP

23
TCP/IP
Service configuration
Do not run unneeded services, e.g. echo, finger, Telnet and FTP
If a service is needed and there is a choice between less-secure versions and more-secure versions (e.g.,
iTP WebServer and iTP Secure WebServer, inetd and xinetd, dns and dnssec), use the more-secure
version
Secure configuration files and service program files appropriately
Note special configuration cautions for services such as LISTNER
Where possible, configure idle sessions to be timed out and disconnected

24
TCP/IP
Port configuration
Disable unneeded ports in the xinetd or inetd configuration file
If a service uses a well-known port that is configurable, consider using a different port in its place
Use a port scanner to check which ports actually are open, and map those against your list of needed
ports
If possible, close unneeded ports in a front-end firewall, IP CLIM (iptables or ip6tables), NonStop SSH, NonStop SSL,
or a web application firewall

25
NonStop ecosystem
CLIMs
NSCs

26
CLIMs
Installed software
The CLIM is not a general-purpose Linux server
Only HPE-required software to provide IP, storage or Telco functionality is installed
No development packages are installed. As examples, the following packages are not installed:
gcc (GNU Compiler Collection)
gdb (GNU Debugger)
flex (Fast Lexical Analyzer)
cpp (C pre-processor)
g++ (C++ compiler)
bison (GNU parser generator)
make (Build tool)

27
CLIMs
Required services
Only required services are installed
No service runs on any non-maintenance interface
On the maintenance interface (eth0), the only default services configured to run are those required for
monitoring and controlling CLIMs:
SSH (Secure Shell) / SFTP (Secure File Transfer)
SNMP (Simple Network Management Protocol)
If NonStop processors boot from Halted State Services (HSS) images hosted on the CLIM rather than the
NonStop Console (default), those CLIMs also run the following services:
BOOTP (Bootstrap Protocol) / DHCP (Dynamic Host Configuration Protocol)
DNS (Domain Name System)

28
CLIMs
Port configuration
No unnecessary TCP/UDP ports are open on the CLIM. On data (non-maintenance) interfaces, the
following UDP port is left open:
IKE (Internet Key Exchange)
On the maintenance interface (eth0), only the ports required by the following standard services are open:
sshd/sftp
snmpd
In addition, non-standard ports are open for HP CLIM management services:
confsync
climagt
For Telco CLIMs, there are additional ports open for INS services.
No other ports are open on the maintenance LAN

29
NonStop System Consoles (NSCs)

The major element on the NonStop maintenance LAN that needs to be secured is the NSC
Install appropriate security patches from Microsoft and other vendors on the NSC in a timely manner
We encourage you to use antivirus and firewall packages on the NSC
Use other steps to secure any system, such as strong passwords and individual user accounts rather than shared
accounts
If possible, physically protect your NSCs in a controlled environment
See www.hpe.com/info/nonstop/security, White papers (technical), for additional NSC information:
HP NonStop Console Security Configuration
HP NonStop System Console Security Policy

30
NonStop System Consoles (NSCs)
Protection: Anti-Virus software
Install your choice of Anti-Virus (AV) software
HPE ships NSCs without antivirus software because:
There are many AV packages available for Windows
Companies often either are mandated to or prefer to install the specific AV product that is designated in their
corporate standards and configure it in a prescribed manner to meet standards and communicate with their
enterprise security monitoring infrastructures
Customers usually have site licenses for one or more AV packages that would cover installation on their NSCs
Note: the NonStop System Console Installer Guide currently indicates that you should not install any
software of your own on NSCs. That is correct except for AV software; were correcting the text

31
NonStop System Consoles (NSCs)
Protection: Firewalls
Either enable the Windows firewall or install your preferred firewall
List of incoming/outgoing ports that must be open is documented in the NonStop System Console Installer Guide
Enable Microsoft Remote Desktop only if your corporate security policy allows it

32
NonStop System Consoles (NSCs)
Protection: Security patches
Be proactive about keeping your NSCs up to date with respect to security patches for:
Microsoft Windows
Oracle Java
Adobe Reader
Open source software such as PuTTY and OpenOffice
Note: OpenOffice is optional, and present primarily for use by HP Support

Do not upgrade the base Windows version (e.g., 2003 -> 2008)
Do not upgrade the base Java version (e.g., Java 7) unless prompted by OSM

33
Monitoring and compliance

34
Audit
What security events do you need to monitor and where are they?
Safeguard audit
OSS audit
Other subsystems that generate audit: SSH, SSL, iTP WebServer,
EMS events (from many subsystems)
Application and partner product logs
Keystroke logs

35
Monitoring, reporting and compliance
How do you know whats really going on?
How do you prove that youve implemented your policies correctly?
Alerting
Reporting
Enterprise-wide audit aggregation
File integrity monitoring

36
Summary

Plan:
If you dont know where youre going, it doesnt matter what road you take
Think risk management, not just compliance
Execute:
The devil is in the details
Test, test, test
Monitor:
What are you missing?

37
Thank you
Wendy.Bartlett@hpe.com

38