Novell ZENworks Endpoint Security Management 3.5 User Manual
ZENworks® ESM 3.5
Administrator’s Manual
15
Securing Server Access
Physical Access Control
Physical access to the Distribution Service Server should be controlled to prevent access by
unauthorized parties. Measures taken should be appropriate to the risks involved. There are
multiple available standards and guidelines available, including NIST recommendations, HIPAA
requirements, ISO/IEC 17799, and less formal collections of recommendations such as CISSP or
SANS guidelines. Even when a given regulatory frameworks is not applicable, it may still act as a
valuable resource and planning guide.
unauthorized parties. Measures taken should be appropriate to the risks involved. There are
multiple available standards and guidelines available, including NIST recommendations, HIPAA
requirements, ISO/IEC 17799, and less formal collections of recommendations such as CISSP or
SANS guidelines. Even when a given regulatory frameworks is not applicable, it may still act as a
valuable resource and planning guide.
Likewise, Disaster Recovery and Business Continuity mechanisms to protect the Distribution
Server should be put in place to protect the server if an organizational risk assessment identifies a
need for such steps. The mechanisms best used will depend on the specifics of the organization
and its desired risk profile, and cannot be described in advance. The same standards and
guidelines sources listed above can be helpful in this decision as well.
Server should be put in place to protect the server if an organizational risk assessment identifies a
need for such steps. The mechanisms best used will depend on the specifics of the organization
and its desired risk profile, and cannot be described in advance. The same standards and
guidelines sources listed above can be helpful in this decision as well.
Network Access Control
The Distribution Server can be further protected from unauthorized access by restricting network
access to it. This may take the form of some or all of the following:
access to it. This may take the form of some or all of the following:
•
restricting incoming connection attempts to those ports and protocols from which a
valid access attempt might be expected;
valid access attempt might be expected;
•
restricting outgoing connection attempts to those IP addresses to which a valid access
attempt might be expected; and/or
attempt might be expected; and/or
•
restricting outgoing connection attempts to those ports and protocols to which a valid
access attempt might be expected.
access attempt might be expected.
Such measures can be imposed through the use of standard firewall technology.
High Availability
High Availability mechanisms for the Distribution Server should be put in place if an
organizational risk assessment identifies a need for such steps. There are multiple alternative
mechanisms for building high availability solutions, ranging from the general (DNS round-
robining, layer 3 switches, etc.) to the vendor specific (the Microsoft web site has multiple
resources on high availability web services and clustering issues). Those implementing and
maintaining an ESM solution should determine which class of high availability solution is most
appropriate for their context. It should be kept in mind that the Distribution Server has been
architected to function in non-high-availability situations, and does not require High Availability
to provide its services.
organizational risk assessment identifies a need for such steps. There are multiple alternative
mechanisms for building high availability solutions, ranging from the general (DNS round-
robining, layer 3 switches, etc.) to the vendor specific (the Microsoft web site has multiple
resources on high availability web services and clustering issues). Those implementing and
maintaining an ESM solution should determine which class of high availability solution is most
appropriate for their context. It should be kept in mind that the Distribution Server has been
architected to function in non-high-availability situations, and does not require High Availability
to provide its services.