Unity Registry Logo               Time to re-organise
The Proposal
 

C17.9. System security. Technical and physical capabilities and procedures to prevent system hacks, break-ins, data tampering, and other disruptions to operations. Physical security.

Unity Registry will be implementing a number of security measures to ensure that the credibility and integrity of the .org registry database is not compromised. These can be broken into three parts: physical security, technical security  and logical or “software” security. Each of these is discussed in detail below:

Physical

Each Unity Registry Network Location boasts a range of physical intrusion detection facilities.

  • Building Security Guards
  • Dedicated Center Security Guards (Salford)
  • Building Perimeter Cameras (motion Sensing)
  • Steel Bars on all Windows

·         Physical Key Locks

  • Electronic Tag Locks (logged transactions)
  • Web Camera (Salford)
  • ADT and Insurance Approved Electronic Intruder Alarm
  • FM200 System

Unity Registry are currently installing shared Secret (push button) security locks as a second level of protection.

Technical

In addition to the obvious physical threat to the network, Unity Registry has ensured the network is secured from a technology stance. 

·         Dual Phase Power to all Racks

  • Air Conditioning
  • Backup Air-conditioning
  • 1 hour UPS
  • 24 hour Generator (“in-flight” refuelling)(Salford)
  • Secure Router Passwords
  • Router IP based ACL
  • Secure Firewalls with complete transaction logs and alerts.
  • External Penetration Testing Services
  • Internal Server and Service Monitoring Service.

Logical

This area deals with the security of the registry in terms of defense against hack attempts, DOS attacks, data tampering etc. There are two areas involved in this area of security of the registry, prevention, stopping these kinds of attacks before they can happen, and detection, how to detect when an attack of a certain kind has occurred.

Prevention:

Cisco Fire walling IOS

In order to prevent these attacks Unity Registry begins by fire walling the servers at the routers, Unity Registry will make use of the fire walling features available in the Cisco Fire walling IOS. This software will allow us to setup access control lists on the routers that will block all incoming traffic, regardless of what type of traffic it is if it does not match a certain set of criteria. We are able to specify criteria such as source IP address, source port, destination IP address, destination port, protocol type etc. With this IOS we can also limit the rate at which TCP/IP SYN requests are allowed to enter the network, this helps defend against DOS attacks involving sending excessive SYN requests. The routers are configured to drop all incoming ICMP requests for all IP addresses in our network which also aids combating DOS attacks. Any packets destined for our network which are not explicitly allowed by the access control rules are dropped, making the network seem like a “black hole” to any one who is not on the access control list.

Registrars will be required to supply Unity Registry with a limited number of ip address ranges. Requests from registrars will only be able to access the network if they come from the source address supplied and are destined for any of the allowable internal ports, being the secure site(443), EPP server (3121) and the RRP server any request to any other ports from registrars will also be dropped at this point. Access to SSH ports will be granted to certain external IP address from IP address that belong to Unity Registry and will be used to attach to the management machines and perform server maintenance etc, however these type of connections will only be allowed to the management machines once someone has successfully authenticated to the management machine, from there will an authorized staff member be able to attach to other machines in the network.

IP Tables and Linux Net filter:

Using the Linux Net filter API, and ip tables, we are able to reinforce the blocking of IP addresses that our firewall filters, we are able to tell each application machine to drop requests from unlisted IPs, we can also do things such as limit the rate at which connections can be created and other advanced packet filtering rules.

Private IP Addresses and VLANing:

The network design of the registry also plays a part in security, the only machines that are configured with “live” IP addresses that are visible on the Internet are the Registry application machines and the management servers

Machine Configuration:

Maintaining latest versions, security patches, not to run unnecessary software, or any software with known security issues

Database Security:

Database connection security will be implemented with Oracle’s Advanced Security option which enables SSL authentication and encryption. Support is also provided for Triple DES and RCA encryption, MD5 and SHA message-digests and centralized network authentication support.

Detection:

Cisco Fire Walling IOS:

The Fire Walling IOS allows a Cisco router to perform intrusion detection since the router is in the critical packet path for all inbound (and outbound) traffic the router makes for the first line of “hack detection” and provides dynamic monitoring, interception, and reporting of network attacks and attempted misuse.

·         Configurable audit trail and alerts — Cisco IOS Firewall allows alerts and audit trails to be configured on a per-application basis. Java blocking is also configurable on a modular basis.

Every machine maintains a detailed log of all system activity, daily audits of the logs will be preformed. These audits will alert registry engineers/system administrators to any issues in the registry system. Logs of the login and logout times of all users are also available and any abnormal activity will be thoroughly investigated.

Tripwire packages will be installed on every machine, these packages monitor critical system files and email a predetermined list of people when ever any of the files under the tripwires control are modified in any way.