Keeping your workplace servers secure isn’t just a matter of putting a firewall in place. Here are seven misconceptions about server security that you should not be buying into.
This list was presented by Raritan senior product manager Richard Dominach during a session at Data Center World 2014 in Las Vegas. Dominach’s main theme was that the remote management capabilities built into servers — in particular, the separate operating environment that runs as part of the baseboard management controller (BMC) — can potentially be exploited and won’t always be easily detected. While that underpins many of these myths, others reflect broader issues that can create problems in your server environment.
Myth #1: A server that’s powered down can’t be hacked Since BMC and similar technologies are designed to allow for remote rebooting and other tasks, being powered down is not complete protection. “Just switching off power isn’t enough,” Dominach said. “That’s something every data centre professional should realise.”
Myth #2: Your security software will detect all viruses While malware detection is important, on its own it won’t be able to protect against zero-day exploits or highly targeted attacks. It’s a necessary element, but not a sufficient one on its own.
Myth #3: My servers are protected because they’re behind a firewall In the same way, while a firewall serves a useful purpose, it won’t stave off all forms of attack.
Myth #4: My servers can be trusted because they are name-brand equipment Given that most servers use standardised components, the same basic vulnerabilities are likely to exist whether you go for unbranded white boxes or pricier brand names. The more expensive equipment may well have additional security and management options — but those will also need maintenance.
Myth #5: You can’t log in without a password and all our passwords are encrypted, so we’re safe Again, low-level management systems can give the lie to this notion, especially if they utilise well-known default passwords.
Myth #6: No one connects servers directly to the Internet No-one should — but that doesn’t mean no-one does.
Myth #7: I can fully wipe my servers when they’re removed from the environment While drive wiping techniques are well understood, remembering to eliminate management partitions and other areas isn’t always pursued with the same fervour. “I bet that you’re not looking at deprovisioning the BMC,” Dominach said.
Bandage picture from Shutterstock