Network SecurityDHCP Allocation With MAC Authentication and enhanced Network Access Control (NAC) Ensure perpetual scrutiny of resource allocations, with strict compliance to security policies with host MAC address assignments. Adonis provides organizations with powerful Pre-Admission Network Access Controls using powerful web-portal enabled DHCP MAC Authentication with integration into popular authentication and directory services including RADIUS/LDAP/AD and Kerberos. These NAC tools are designed to help organizations comply with internal and external regulations to help organizations track information and secured network access.  Hardened Linux OS Kernel
BlueCat Networks engineers selected a stripped-down, firewall-grade Linux operating system kernel based on the premise that a smaller and mature set of modules would pose a smaller security threat. Starting with a base level installation with non-essential services removed, the Linux kernel was compiled with a limited set of features and modules. They avoided using loadable kernel modules and compiled everything into the kernel, which helps ensure that the intended modules cannot be easily replaced by a potential attacker. Firewall and IP stack hardening were added to the kernel for additional security and increased performance. 
Network service daemons were removed, and the BIND and remote control daemons were started via control scripts instead of the initial connection via the “inet” daemon. This allows complete control over what services are running, and when services can be started. Adonis includes proper log rotation and proper capture of system events to avoid problems that plague many system administrators. A log rotation system constantly examines the state of the logs to prevent attacks that force out-of-control system logging. The appliance’s logs and kernel images are kept in separate partitions to reduce the effect of potential data corruption to a single file system, which is common on many server installations. Integrated Firewall
Hardening the Linux operating system helps secure the server, but it does not guarantee security. An integrated firewall serves as an outside layer of protection against incoming and outgoing requests. This configurable firewall drops all incoming non-DNS requests such as illicit commands, and it restricts non-DNS related queries including harmful ICMP’s or other services from attempting a connection with Adonis. 
The integrated firewall exposes only two ports:Port 53 (DNS) and Port 10042 (Client/Server Control), thereby limiting external exposure and preventing unwanted traffic from leaving the appliance. If an attacker compromises one of the exposed services, the firewall will attempt to contain the attacker and prevent further intrusion. This complements the “jailed” environment to contain and prevent the hacker from moving within the appliance system. This is an important layer of security, yet the effect of the firewall on the server's performance is negligible. A performance benchmark on over two million records with 5% errors showed a 0.5% percent performance loss with the firewall enabled. Authentications and SSL Connectivity
The Adonis Management Console software supports SSL and TrueAuthentication™. The software connects and deploys configurations to the Adonis appliance through a 128-bit SSL connection using 1024-bit certificates on both ends. This connection protects against unauthorized connections and packet snooping. Since the server requires that the incoming connection be authenticated with a certificate, port scans will show the management port as “empty”. The TrueAuthentication™ system authenticates user connections through self-generated certificates. The Adonis Management Console is a client-side application that communicates securely with one or more servers. A password is required to authenticate an SSL connection session between the client software and the server. Unique certificates on each server prevent unauthorized connections, even if the password is valid. Users who have not yet created a custom certificate wish to use SSL can use a predefined certificate. 1024-bit Certificates
The Adonis Management Console connects and synchronizes with the Adonis hardware using 1024-bit digital certificates both at the client and server ends of the connection. The certificate guarantees that only authorized connections are authenticated. Predefined certificates are used to quickly deploy and test configurations in a staging environment while maintaining a secure connection. Custom certificates provide an additional level of security. BIND Version Number
A network administrator can configure the exact response they want returned when the Adonis DNS/DHCP Appliance™ is queried for its BIND version. An administrator can select between predefined responses such as the version of the Adonis DNS/DHCP Appliance™, the version of BIND, no response at all, or a custom text string. Jailed Environment
The name server daemon executes on the Adonis appliance inside a “jailed” environment, allowing a limited number of accessible system resources. In addition to the jailed environment, the daemon runs under non-root level privileges, with the name server executable daemon residing inside the jail. This level of security precludes a hacker from gaining root level access to a compromised name server daemon, and using it to attack other systems in the network. When BIND runs within the jailed environment, it can be run as an unprivileged user. With this safeguard in place, an attacker compromising BIND will only have access to the jailed environment that does not have privileged access to control the system. The jailed environment contains only the data that BIND uses; no executables or system scripts exist in the jail. Because there is nothing for an attacker to “play with” inside the jail, most will lose interest and turn to another target.
|
