Should core system servers be able to connect to the internet for maintenance/support?

security maintenance oracle

Solution 1:

You would generally need to download patches from the internet then apply them to the server. However it is reasonable to have an intermediate step of copying the patches to an intermediate location (even a DVD) to go between the internet and the database servers.

If they just want a separate machine in the server room that can connect to the internet (eg for reading patch notes), that's another option.

Finally, there's a difference between having a browser running on the server that can connect to the internet and having the server actually accessible as a server from the internet.

It all depends on how secure you want/need to be.

Solution 2:

Your servers are connected to a network which has other devices with Internet access. Correct? I'm sure others will disagree but I believe the security afforded by not allowing those servers direct Internet access is more illusory than anything else.

Solution 3:

We do a lot of maintenance on customers servers that have no access to the internet. We have to take all of the updates/patches/software we need for that visit on CD / USB Stick. (Allowing 3rd parties to bring in USB sticks/CDs is a security risk in it's own)

Solution 4:

You can always use iptables to configure exact source/destination IP:Port pairs that you wish to keep open.

That way, even when the server is explosed over the WAN, you may ensure that only trusted IPs + correct credentials will gain access to it.

Moreover you can use a private-public ssh key pair as well, which can be shared only amongst the two of you.

Solution 5:

All your servers should be either in a DMZ or at least behind a firewall. Just about any firewall can be configured to allow outgoing connections from any of these servers (so that they can check for and download security patches and other updates on their own). And then it's up to your system admins to configure the firewall such that a few, very specific ingoing connections are allowed. If they are only needed for occasional maintenance, they can be disabled once the maintenance is finished.

We use linux gateways for this job, with iptables for the firewall. However, your standard hardware firewalls will do exactly the same.

Related

Connect to a Fortinet VPN with Ubuntu
Modifying columns of very large mysql tables with little or no downtime
Where can I find apache error_log on CentOS
SPF include vs redirect
How to allow elastic load balancer through port 80 in security groups?
SSH garbling characters in vim/nano on remote server
Why isn't my upstart service listed in service --status-all
Cron expression: difference between 0/1, 1/1 and *
"No space left on device" error despite having plenty of space, on btrfs
Return only a HTTP status code from curl command
Back-off restarting failed container - Error syncing pod in Minikube
Docker turn anonymous volume into named volume