GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Letting the big bad world access our HP-UX server ...
Operating System - HP-UX
1855307
Members
3619
Online
104109
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Knowledge Base
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Knowledge Base
Forums
Discussions
- Cloud Mentoring and Education
- Software - General
- HPE OneView
- HPE Ezmeral Software platform
- HPE OpsRamp
Knowledge Base
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2003 11:49 PM
10-09-2003 11:49 PM
I have just been given a proposal to place our HP-UX 11i server onto the Internet so that the big bad world can hack .. sorry access our Informix database for change of addresses etc.
Route would be via a web application (probably IIS - yes I know I know!), through a firewall direct to the HP-UX 11i server.
Sometime ago we looked at Virtual Vault but this has been ruled as too expensive and an alternative needs to be looked at.
We do need to make our data available to the world but I have reservations about how secure our data would be and I am being told "well everyone else does it".
Does anyone have any views on how they would do this without compromising what is currently a pretty secure system.
Route would be via a web application (probably IIS - yes I know I know!), through a firewall direct to the HP-UX 11i server.
Sometime ago we looked at Virtual Vault but this has been ruled as too expensive and an alternative needs to be looked at.
We do need to make our data available to the world but I have reservations about how secure our data would be and I am being told "well everyone else does it".
Does anyone have any views on how they would do this without compromising what is currently a pretty secure system.
Hats ? We don't need no stinkin' hats !!
Solved! Go to Solution.
7 REPLIES 7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2003 11:54 PM
10-09-2003 11:54 PM
Re: Letting the big bad world access our HP-UX server - comments please
Nick,
Our web presence is in a "DMZ" outside the firewall and access to the database is through an interface that talks to a specific port on the firewall. Only that application on that port is allowed through. The actual DB server remains securely locked away.
That's a pretty vague, high-level look at it - I can provide more details if you like.
Pete
Pete
Our web presence is in a "DMZ" outside the firewall and access to the database is through an interface that talks to a specific port on the firewall. Only that application on that port is allowed through. The actual DB server remains securely locked away.
That's a pretty vague, high-level look at it - I can provide more details if you like.
Pete
Pete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2003 12:24 AM
10-10-2003 12:24 AM
Solution
IIS id probably the bigger problem, but HP-UX requires substantial work.
With regards to software, I'd bulk up on it and completely harden your system. I don't trust firewalls and I set behind two.
Softwarewise, here is my standard pitch, pasted in:
Security Software
Here is how we keep up on these security issues.
Fist we subscribe to itrc security bulletins, which you apparently already do.
Next we use the following tools to harden security on our system and notify us of security patches.
Bastille Security hardening
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA
Perl which the above needs.
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL
Security Patch Check
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA
TCP Wrappers
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=TCPWRAP
IDS/9000 (Intrusion Detection Sytstem)
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA
Get all these products working you'll be quite secure.
Secure shell
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA
I recommend a security audit where the auditor attempts to hack the system in question once its deemed ready for action.
SEP
With regards to software, I'd bulk up on it and completely harden your system. I don't trust firewalls and I set behind two.
Softwarewise, here is my standard pitch, pasted in:
Security Software
Here is how we keep up on these security issues.
Fist we subscribe to itrc security bulletins, which you apparently already do.
Next we use the following tools to harden security on our system and notify us of security patches.
Bastille Security hardening
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA
Perl which the above needs.
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL
Security Patch Check
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA
TCP Wrappers
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=TCPWRAP
IDS/9000 (Intrusion Detection Sytstem)
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA
Get all these products working you'll be quite secure.
Secure shell
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA
I recommend a security audit where the auditor attempts to hack the system in question once its deemed ready for action.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2003 01:12 AM
10-10-2003 01:12 AM
Re: Letting the big bad world access our HP-UX server - comments please
The way you have your set up planend is probably the best way with your web server accessing the DB through a specific port in the firewall.
You will still want to harden your machine though. The Bastille software is a good place to start. The "Creating a Bastion Host" paper is also very good. You will also want to keep up on security patches and Informix patches to make sure you have as few vulnerabilities as possible.
Here's the address for the Bastion paper:
http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000066258828
This paper says 11.0, but it works very well for 11.11 as well.
You will still want to harden your machine though. The Bastille software is a good place to start. The "Creating a Bastion Host" paper is also very good. You will also want to keep up on security patches and Informix patches to make sure you have as few vulnerabilities as possible.
Here's the address for the Bastion paper:
http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000066258828
This paper says 11.0, but it works very well for 11.11 as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2003 01:38 AM
10-10-2003 01:38 AM
Re: Letting the big bad world access our HP-UX server - comments please
Just chiming in, that the way we do is exactly the same, via DMZ to a specific port and secure the box.
FTP is done via an FTP server..no anonymous allowed, users locked to their accounts ONLY.
It wasn't always this way....they learned here, and I'm sure if they do it the way you've mentioned. Your folks will come to a painful realization 'real quick'.
Rgrds,
Rita
FTP is done via an FTP server..no anonymous allowed, users locked to their accounts ONLY.
It wasn't always this way....they learned here, and I'm sure if they do it the way you've mentioned. Your folks will come to a painful realization 'real quick'.
Rgrds,
Rita
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2003 11:55 AM
10-10-2003 11:55 AM
Re: Letting the big bad world access our HP-UX server - comments please
Nick -
I can echo Rita's comments for our shop as well. We have several applications on both the HPUX and mainframe side that utilize this method.
Best of luck.
Regards,
dl
I can echo Rita's comments for our shop as well. We have several applications on both the HPUX and mainframe side that utilize this method.
Best of luck.
Regards,
dl
"I'm not dumb. I just have a command of thoroughly useless information."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2003 01:34 PM
10-10-2003 01:34 PM
Re: Letting the big bad world access our HP-UX server - comments please
For my 2 cents,
A. Consider that this box is compromised at all times.
B. Use replication or transaction files to replicate all data.
C. Ignite daily to tape. Do not use make_net_recovery. That means this is a PA-RISK based processor.
D. Disconnect the machine from the outside world at night. (ipconfig lanx down) as the first line of the nightly backup script. Second line of backup script ipconfig lanx+1 up. Then the machine may be backed up. If EDM or Veritas netbackup is used move the .rhosts in and out of place.
E. Always run backup with the Oracle DATABASE down. Don't even think of hot backups. If the machine gets trashed, a cold backup may be restored, and tnsnames modified, and you can be up in two-three hours... RMAN works, but it limits your recovery possibilities.
Can you guess what kind of a project I just had???
A. Consider that this box is compromised at all times.
B. Use replication or transaction files to replicate all data.
C. Ignite daily to tape. Do not use make_net_recovery. That means this is a PA-RISK based processor.
D. Disconnect the machine from the outside world at night. (ipconfig lanx down) as the first line of the nightly backup script. Second line of backup script ipconfig lanx+1 up. Then the machine may be backed up. If EDM or Veritas netbackup is used move the .rhosts in and out of place.
E. Always run backup with the Oracle DATABASE down. Don't even think of hot backups. If the machine gets trashed, a cold backup may be restored, and tnsnames modified, and you can be up in two-three hours... RMAN works, but it limits your recovery possibilities.
Can you guess what kind of a project I just had???
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2003 01:34 PM
10-10-2003 01:34 PM
Re: Letting the big bad world access our HP-UX server - comments please
In addition to the previously mentioned
concepts.
1.I'd place a firewall between server and internet, allowing only 2 ethernet ports through external wall.
2. require https access and login,
3. shut down telnet,
4. remove server from any .rhosts file
5. remove all non system leval access. (root,oracle) only logins.
6. Require ssh for local access.
7. from database generate transaction file to be imported to production box.
concepts.
1.I'd place a firewall between server and internet, allowing only 2 ethernet ports through external wall.
2. require https access and login,
3. shut down telnet,
4. remove server from any .rhosts file
5. remove all non system leval access. (root,oracle) only logins.
6. Require ssh for local access.
7. from database generate transaction file to be imported to production box.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2026 Hewlett Packard Enterprise Development LP