S 4.97 One service per server

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

Many weak points in IT systems cannot be exploited in isolation by a potential attacker. It is often only a combination of vulnerabilities that makes successful infiltration of a computer a possibility. One recommendation for the operation of secure servers is therefore: different services should be located on different computers.

Only one service should therefore be loaded on a minimal system (see also S 4.95 Minimal operating system), i.e. for example either a WWW server or an e-mail server. Besides this, the security classifications of individual services also vary. Successful infiltration of a WWW server may well be very annoying, particularly if the attacker makes changes to the WWW pages that are externally accessible. The attacker does not have access to internal information in this way, however. If the WWW server is also the e-mail server, though, the attacker may be able to intercept all of the e-mail traffic, which could have much worse consequences.

The separation can even be further increased, by sharing different tasks of an individual service between different computers. For example, there could be one e-mail server (A), which receives e-mails from the Internet and forwards them to the internal network, and another e-mail server (B), which forwards e-mails from the internal network to the Internet. As communication from the Internet can only be established with e-mail server A, an attacker can only attack that server, not the other. E-mail server A is not itself allowed to send any e-mails to the Internet, and therefore this computer cannot be misused for e-mail spamming, either.

Dividing up various services between different computers has the following advantages, among others:

• Easier configuration of the individual computers

• Simpler and more secure configuration of an upstream packet filter

• Increased resistance to attacks

• Greater operational reliability

It should be possible to compensate for any negative consequences that may arise, such as higher hardware costs for purchasing several computers, by the fact that the individual computers do not have to produce the same performance and consequently all in all, with the same performance, do not have to be more expensive than one particularly powerful computer. Administration costs do not necessarily have to rise with the number of computers, either, because simpler configuration of the individual computers saves time.