windows 95 boot disk image downloadultraedit 7 20a downloadspyware doctor mac downloadsmartdraw 6 51 download
Distribution with the Oracle Cloud Cookbook or derivative in the work in any type is prohibited unless prior permission is purchased from the copyright holder.
Advances in virtualization, hardware and storage technologies, in addition to Oracle licensing cost is driving Oracle customers to examine their virtualization choices for Oracle to lower their total Oracle valuation on ownership, also to improve their Oracle operational efficiency.
The Oracle Cloud Cookbook plans to articulate the design and style considerations and validation efforts needed to design, deploy and support private, publicand hybrid Oracle clouds.
This chapter from the Oracle Cloud Cookbook presents MokumsOracle VM private cloud reference design. The Mokum Oracle private cloud reference designs encompass the software program, hardware, storage, network, and managementcomponents necessary to deploy a scalable, secure, and supportable Oracle private cloud.
The Mokum Oracle private cloud reference design is really a field-tested best-practice standard, beautifully made with simplicity, reproducibility, usability, scalability, supportability and security. The Mokum Oracle private cloud reference designs represent a whole Oracle Private Cloud standard which can be leveraged like a vanilla solution or modified to more accurately reflect organization-specific needs. The Mokum Oracle private cloud reference design includes the next categories:
Note: A detailed explanation of each and every category and solution from the Mokum Oracle private cloud reference design is presented inside the architectural overview section.
The Mokum Oracle private cloud reference design comes with a well defined beginning for each Oracle private cloud implementation. It also serves to be a baseline where all solution additions, revisions, and tools will be based on. As such, we have an increasing value to Mokum Oracle private cloud reference design to keep implementations as close towards the reference design as is possible.
Prior to implementing an Oracle private cloud, its critical that an infrastructure assessment IA and gap analysis GA be exercised. During the IA/GA, the architecture with the solution will match the customers can use business needs and the integrity from the Mokum Oracle private cloud reference design. Implementation and support will track the analysis phase after careful consideration may be given to your specific design modifications that deviate on the Mokum Oracle private cloud reference design.
This document outlines your decision points required for implementing the Mokum Oracle private cloud reference design. For decisions that depend upon preexisting factors or specific organizational needs, the proper best practice is going to be discovered inside the infrastructure assessment IA and gap analysis GA. The best practices really should be analyzed carefully and decisions needs to be made dependant on organizational needs, existing architecture, and budget resource availability.
The Mokum Oracle private cloud reference design is made to be scalable and resilient for easier implementation, high availability, and simplicity of maintenance form of hosting Oracle clouds. The complete option would be made up of multiplearchitectural components that work well together to offer flexibility and alternatives for self-serviceInfrastructure to be a Service withbroad network access, resource pooling, elasticity, measured service, high availability, security and easier maintenance.Infrastructure as being a Service is the proportions to provision and deliver fundamental computing resources as being a service on the consumer consumer owners. The Mokum Oracle private cloud reference design outlines the choice points important for implementing an Oracle VM private cloud to offer self-serviceInfrastructure being a Service using pre-configuredvirtual machine templates from theOracle Enterprise Manager Cloud Control 12cself service portal, or OpenStack.
Support is a valuable part of any Oracle private cloud and carries a combination of Oracle support agreements and on-site and off-site support on the implementing party. Administrators should have several alternatives for support, including live assistance, phone support, and web forums.
This table outlines your choice points to the support infrastructure with the Mokum Oracle private cloud reference design. For decisions that count on preexisting factors or specific organizational needs, the right best practice are going to be discovered inside infrastructure assessment IA and gap analysis GA. The best practices needs to be analyzed carefully and decisions needs to be made according to organizational needs, existing architecture, and budget resource availability.
Oracle Support Agreements with the Oracle technologies will likely be active or more to date.
Support is an essential part of every successful IT project. Oracle support agreements are essential to find a way to create and manage service requests in addition to be able toreceive software patches and updates from Oracle Enterprise Manager and My Oracle Support.
On-site and off-site support through the implementing party will likely be used for maintenance, site reviews, upgrades, and security audits.
On-site and off-site support from your implementing party for problem resolution, system maintenance, site reviews, upgrades, and security audits augments the Oracle support agreement and internal IT operations staff.
The following sections provides your decision matrices for that Mokum Oracle private cloud reference design. Implementers in the Mokum Oracle private cloud reference design will use the decisionmatricesas quick reference help guide identify settings and configuration decisions to become implemented inside the environment. These decisions really should be carefully analyzed after a gap analysis phase.
Oracle VM Server supportsCPU oversubscription. CPU oversubscription allows an Oracle VM server with 900 CPU cores or threadsto overallocate the whole number of CPU cores to virtual machines. For example, a server with the Intel Xeon processor 5600-series CPU with hyperthreading may have up to six cores and twelve threads per socket. A two socket server by having an Intel Xeon processor 5600-series CPU could allocate 12 virtual CPUs without oversubscribing the physical CPUs.
CPU-bound workloads, for instance Oracle Databases, must not be on Oracle VM servers with oversubscribed CPUs.
Server hardware needs to be ordered using the maximum volume of physical memory.
Note: Oracle VM Release 3.3supports as much as 6TB of RAM.
Oracle VM Server doesn't support memory oversubscription. For example, an Oracle VM server with 1TB of RAM cannot overallocate RAM to virtual machines. By default, each Oracle VM server reserves a minimum of 512MB of RAM for dom0. The average memory overhead for each and every running guest over a dom0 is concerning 20MB plus 1% from the guests memory size. The remaining physical RAM might be allocated to guests.
An Oracle VM server in the server pool with Live Migration, DRS, DPM and/or HA must haveexcessRAMcapacityto accept virtual machines coming from a Live Migration, DRS, DPM and/or HA operation. Oracle VM pool members without available RAM are not able to support Live Migration, DRS, DPM and/or HA. Having available RAM on each server provides flexibility with regard to adding new virtual machines on the server pool, and also to allow Live Migration, DRS, DPM and/or HA in just a server pool.
Unless the Oracle VM server is booting from SAN, redundant internal hard disks are recommended.
Virtual machine image and configuration files are hosted on local, shared SAN, iSCSI, or NFS repositories.
Oracle VM Server requires 4GB of local storage for your Oracle VM server installation. The design goal for Oracle VM would be to support multiple node Oracle VM server pools with shared fibre channel SAN, iSCSI and/or NFS storage.
Oracle VM local storage will not support HA or Live Migration.
A a minimum of one Ethernet network interface NIC card becomes necessary just to setup Oracle VM server, although at the least four if not more 10G NICs is strongly recommended. NIC bonding withport-based VLANs and/or802.1Qtag-based VLANs are supported and configured post Oracle VM Server installation with Oracle VM Manager or Enterprise Manager.
Oracle VM 3.0.1 through 3.1.1 supports two NIC ports per network bond, along with a total of five network bonds per Oracle VM server.
Oracle VM 3.2.x supports four NIC ports per network bond, plus a total of ten network bonds per Oracle VM server.
Oracle VM 3.3.x supports an unlimited amount of NICs, andbonds.
The exact amount of network interfaces with an Oracle VM server entirely is determined by your organizations business requirements, server hardware, and network and storage infrastructure. For example, there aren't any NIC limitations that has a Cisco UCS hardware, in contract to legacy hardware with physical NICs. Cisco UCS supports provisioning as numerous HA enabled vNICs as essential to meet the most demanding Oracle VM network requirements, contrary to legacy hardware that can require nearly 6 10G NICs, or 12 if not more 1G ports. It is tough to succeed and not using a plan. Plan your Oracle VM project upfront before ordering hardware, and deploying Oracle VM.
Tip: One thing to consider is NIC firmware levels between bonded internal NIC ports and PCI NIC ports. Consider only bonding internal NICs with internal NICs and PCI NICs with PCI NICs.
Both 802.3AD NIC bonds, port-based VLANs and/or 802.1Q tag-based VLANs are supported and configured post Oracle VM server installation with Oracle VM Manager. Network redundancy, 802.3AD NIC bonding doubles the amount of required NICs.
Oracle VM relies on a total of five discrete networks; Server Management, Cluster Heartbeat, live Migration, Storage and Virtual Machines. All five networks could be supported using 802.1Q tag-based VLANs or using access ports.
With Oracle VM, accurate time is crucial to maintain system stability as a result of time-sensitive cluster transactions between Oracle VM servers. Without accurate time, Oracle VM clusters is usually brought to an entire standstill.
A best practice is usually to have two internal NTP servers on your own local network to offer time services for internal systems and devices. Using internal time servers normalizes system event time-stamps through the Enterprise in addition to reduces NTP Internet bandwidth usage.
If internal time servers are certainly not an option, set-inside the Oracle VM Manager hostsas the upstream NTP time hostto synchronize with upstream Coordinated Universal Time UTC sources and also provide time services to Oracle VM servers.
Up to Oracle VM Release 3.2 usedthe RAS proxy Remote Access Service java applet to proxy virtual machine console traffic from Oracle VM Manager towards the administrators Client PC. An Oracle VM Manager administrative account is really a requirement to gain access to a virtual machines console.Any firewall between Oracle VM Manager andthe administrators Client PCconecting into a virtual machine console should have TCP port 15901 open for your RAS proxy.
Oracle VM Manager doesn't support role based access control. All administrative users with access on the Oracle VM Manager GUI have root administrative usage of all on the objects managed by Oracle VM Manager, including all in the virtual machine consoles.
All Oracle VM administrative users have root entry to all on the objects managed by Oracle VM Manager. Virtual machine customers such as DBAs and application administrators should only have usage of thier virtual machines, notroot usage of all on the objects managed by Oracle VM Manager.
If an Oracle VM Manager account is not an alternative for a user, for instance for DBAs, Opertaions. or application administators, Oracle VMrole based access control may be configured usingEnterprise Manager Cloud Control.With Cloud Control, Roles might be assigned to limit having access to only select virtual machines, or read only acces totheOracle VM Manager objects.
The iptables service might be enabled on each Oracle VM Manager host by using a ruleset managed in/etc/sysconfig/iptables. In order to utilize Oracle VM Manager, the Core API along with the Oracle Management Agent with iptables, it is essential to open tcp ports 7001, 7002, tcp-54321 or tcps-54322, 15901 and 3872 in addition to UDP 123.
Firewalls would be the first distinctive line of defense in network security. Firewallsshould beused to filter network traffic between security domains.Host firewalls, one example is iptables, can be a fundamental portion of information security that protect hosts from attacks and intrusions.
Iptables failed connection logging really should be enabled on each Oracle VM Manager host.
Failed connect logging can be a fundamental component of information security allowing detection of attacks and intrusions.
By default, Oracle Linux and Oracle VM permit ssh access while using root super user account.
Systems administrators should access the Oracle VM Manager and Servers withnon-root individual user accountsand use sudoto perform selected administrative tasks.Sudo is short for either substitute user do or super user do.
Root ssh access ought to be disabled about the Oracle VM Manager host. Sudo should ought to be used to configure fine-grained permissions to allow for administrative users to complete selected administrative tasks with logging.
To disable root ssh access, edit the default/etc/ssh/sshdconfig file and uncomment the
the PermitRootLogin yes line and change the yes to no; that may be, PermitRootLogin no. Next, restart the sshd service by typing service sshd restart to allow the change.
The visudo command is utilized to edit the/etc/sudoers file.Consult the sudoers man page for sudo configuration details.
One in the most important security measure which might be taken with Oracle VM would be to prevent unauthorized access to your root user account by disabling root ssh access. A best practice is toonly allow non-root individual user accounts accessthat might be audited, disabled, expired and managed using sudo.
Note: All sudo user access will likely be tracked and logged within the/var/log/secure file.
SSH login banners presents a definitive warning or disclaimer to every one users that wish to get into your systems using SSH. SSH login banners should clarify which sorts of activities are illegal along with advise legitimate users of these obligations relating on the acceptable use with the system.
Pre and post SSH login banners ought to be configured on each Oracle VM Manager host.
Next, make the file and add your login banner text,
This technique is restricted to authorized access only. All activities about this system are recorded and logged. Unauthorized access is going to be fully investigated and reported to your appropriate police agencies.
Once the file is created along with the banner text is added and saved, restart the sshd by typing:
Edit/etc/motd and add your login banner text,
This strategy is restricted to authorized access only. All activities for this system are recorded and logged. Unauthorized access are going to be fully investigated and reported to your appropriate police force agencies.
Once the file has become edited and saved, restart the sshd by typing:
To have the ability to successfully prosecute folks who improperly employ a computer, the computer should have a warning banner displayed in any way access points.
Log file analytics solutions can beused to recover and centrallyanalize security-relevant or operations-relevant events.
Log file analyticssimplifies security management for that detection of attacks and intrusions.
This table outlines your decision points for Oracle VM server security controls. For decisions that depend upon preexisting factors or specific organizational needs, the right best practice is going to be discovered inside the infrastructure assessment IA and gap analysis GA. The best practices ought to be analyzed carefully and decisions really should be made dependant on organizational needs, existing architecture, and budget resource availability.
Oracle VM Servers hosting Internet facing virtual machines may be placed in a very DMZ without connectivity to your Internet or internal network segmentsto slow up the attack surface.
Oracle VM Servers inside a DMZ must be restricted from inbound and outbound Internet connectivity toreduce the attack surface.
Before any Oracle VM servers are placed within the production network, a regular build processes really should be executed to ensure all Oracle VM servers are installed, configured and maintained in the manner that prevents unauthorized access, unauthorized use and disruptions in service.
An Oracle VM server build document provides employees through an approved procedure to set up and configure Oracle VM server. An Oracle VM server build document is employed with other IT infrastructure policies to deal with interoperability and security of Oracle VM from the context in the entire information system.
A key component of the successful Oracle VM deployment is acquiring and vetting new releases, patches and updates for production systems. New Oracle VM releases, patches and updates should be researched to recognize which release, patches and updates are applicable in your environment. Newly released versions, patches and updates must be vetted before being deployed into production.
Oracle VM Servers needs to be configured to utilize local custom yum repositories.Local yum repositories with point-in-time static channel for every single supported Oracle VM release ensures all likeOracle VM serverare patched inside a consistent manner throughout the organization.
Integrated graphical CPU, memory, disk and network performance monitoring, alerting, and historical reporting for hosts and guests.
Functionality to handle host CPU, memory, storage and network resource allocation
Functionality to handle guest CPU, memory, disk and network resource allocation
Functionality to produce, stop, start, pause, migrate, clone and provision guests
This policy is be subject to annual review.
All i . t . investments shall in accordance with existing policiesin order so that the integrity and interoperability of computing platforms.
Any employeefound to possess violated this policy might be subject to disciplinary action, nearly and including termination of employment.
The following example Hardware and Software Sunset Policy defines an organizations hardware and software sunset policy. This policy is supposed for informational purposes only.
The aim of this policy should be to establish hardware and software sunset requirements. In an ongoing effort to fulfill business requirements, reduce IT costs and supply reliable, high-quality IT services, Company Name periodically sunsets retires, old hardware and software. Once sunsetted, active support and all sorts of business services to the product are discontinued. Sunsetting older versions of hardware and software allows Company Name to target resources on enhancing IT services, and providing support for much more current, secure and stable products. In most cases, replacement costs for products identified for sunset usually are less than the costs of continued support and maintenance. The Sunset policy will lead to better customer support and reduced costs. This policy provides controls to ensure Enterprise issues are considered in addition to business objectives when sunsetting hardware and software.
The scope of this plan encompasses server, desktop and network hardware platforms, os and software.
Products which may have reached the end of the life cycle and they are no longer held by a vendor is going to be given a sunset date. The sunset date occurs when the product is scheduled to get removed from production. The sunset date will probably be set far enough before hand to give Company Name at the least a budget cycle to advance and plan for that replacement. When a particular version of hardware or software program is scheduled being sunsetted, Company Name will supply the affected users with advance notice via email.
A Sunset list is going to be used to track all hardware and software sunset dates. In order to keep the sunset list up thus far, Company Name will update the sunset list quarterly with hardware and software for review. Department managers with staff designed to use products about the sunset list are going to be notified quarterly via email about the sunset review process and sunset dates.
If you happen to be currently using computer software that has become designated sunset and would choose to extent support, you will have to acquire a version which fits the current minimum standards as defined in Company Name Software Standards. If you happen to be currently using hardware that is designated sunset, any technical issues while using unit will trigger an alternative process that has a unit which fits the current minimum standards as defined in Company Name Hardware Standards.
Hardware four years or older.
Operating systems which may have reached their sunset date or are will no longer supported by the property owner.
Proprietary application software which is no longer sustained by the vendor.
Open Source application software that is certainly no longer backed up by the community.
Application software that won't support Company Name centralized authentication and authorization system.
This policy is be subject to annual review.
All i . t investments shall in accordance with existing policies in order to guarantee the integrity and interoperability of computing platforms. Any employee found to obtain violated this policy could possibly be subject to disciplinary action, as much as and including termination of employment.
The platform architecture domaindefines the roles, policies, standards and decision-making criteriafor purchasing and deploymentof all computing and datastoragehardwareand os's for servers, desktopsand handhelddevices.
The networkarchitecture domaindefines the network infrastructure and explains how dataflows between systems, computers and devices on the network.It defines the technologies familiar with enable reliable, secure communicationon LAN, WANand wirelessnetworks. Architects that develop or review network architecturepoliciesmust understand Oracle VM architecture and end-user access requirements to ensure reliable and available network having access to resources via Oracle VM.
List 2 shows a partial list from the layered policies inside the networkarchitecture domain.
Note: The policy infrastructure of your organization directly reflects the mission and business objectivesof the business. The above list is perfect for educational purposes only.
Networkinfrastructure enables reliable and secure communicationbetween information systems and many types of related computing platforms. The network architecture domainwith its layered policiestakes note Oracle VM architectural and supporting computing platforms to be sure reliable and secure communications on the wide variety of networks.
The next example is surely an abbreviated networkarchitecture policy. The goal with this example would be to illustrate the connection between a dangerous network architecturepolicy and Oracle VM. This policy is supposed for informational purposes only.
The reason for this policy should be to establish networkarchitecturerequirements that describe how information processing resources are interconnected to topologystandards, transport media, and protocols used to provide converged services, including traditional data, voice, and video services. This policy provides controls that ensure Enterpriseissues are considered as well as business objectiveswhen making network architecture related decisions. The scope in the architecture within this policy incorporates a network infrastructure to allow converged services, for example traditional data, voice and video services.
The CEO and CIO be sure that policiesare followed to be able to establish contracts and procurement requests and develop and manage services.
Networks really should be operational, reliable and available 24x7x365 to aid mission-critical business operations and operations.
Networks must be designed for security, growth and adaptability.
Networkarchitectureshall use proven open industry standards.
Networkarchitecturewill support converged services while accommodating traditional data, voice and video services.
Local Area NetworkLAN: A geographic area network is really a communications system that covers a compact local area, such as an office or building.
Wide Area NetworkWAN: A wide area network can be a communications system that spans a substantial geographical area.
NetworkArchitectureprotocols give you the rules that support access and communication.
NetworkArchitectureevaluates network technologies regarding flexibility, scalability, and interoperability with technologies.
All technology investments shall comply with existing policiesin order to guarantee the integrity and interoperability of computing platforms.
The example networkarchitecture policyillustrates what sort of policy is accustomed to define network architecturerequirements and describe how information processing resources are interconnected.
Unlike system architecture domainpoliciesthat govern Oracle VM, the networkarchitecture domainestablishes the building blocks to plan, build, run and monitor the network infrastructure. Architects that oversee the event or report on network architecture policymust understand Oracle VM architectureand end-user access requirements to make sure reliable and available network usage of resources via Oracle VM.
Figure X shows the elements of any Risk Assessment.
In comparison to its information security, there are numerous advantages in employing Risk Management and Risk Assessments. The advantages will be the ability to spot, quantify and manage risk in conjunction with cost justification. Many IT organizations leverage Risk Assessments to coach management on security awareness also to justify spending to shore within the security posture with their environments.
Tip: In relation to its assessing Information Technology risk, assess the NIST Special Publication 800-30, Risk Management Guide to Information Technology Systems. It is usually a detailed guide regarding how to conduct a Risk Assessment and find out suitable technical, management and operational security controls.
The following example is often a Risk Assessment Policy through the SANS Policy Project. It is utilized to sanction InfoSec to carry out periodic information security Risk Assessments RAs to be able to determine aspects of vulnerability, when applicable, to initiate remediation. This policy was created for informational purposes only.
To empower InfoSec to execute periodic information security risk assessments RAs with the purpose of determining parts of vulnerability also to initiate appropriate remediation.
Risk assessments is usually conducted on any entity within Company Name or any outside entity that's signed a Third Party Agreement with Company Name. RAs might be conducted on any information system, to feature applications, servers and networks, as well as any process or procedure through which these systems are administered and/or maintained.
The execution, development and implementation of remediation programs will be the joint responsibility of InfoSec and also the department responsible with the systems area being assessed. Employees are supposed to cooperate fully with any RA being conducted on systems which is why they are held accountable. Employees are further likely to work with all the InfoSec Risk Assessment Team within the development of any remediation plan.
Any employee found to obtain violated this policy could be subject to disciplinary action, approximately and including termination of employment.
The proceeding Risk Assessment Policy was given to demonstrate how organizations use policy to speak managements endorsement of InfoSec in order to complete a Risk Assessment. The policy states that InfoSec can conduct a Risk Assessment on any entity inside organization or on any outside entity which includes signed a Third Party Agreement. The execution, development and implementation of remediation are going to be a joint engagement between InfoSec plus the department responsible for that assessed systems.
The next section will review an Enterprise Security Policy. An Enterprise Security Policy is utilized to bridge the gap between technical and administrative security controls used together to teach employees and business partners onhow to securely access systems and consume data securely.
An organizations Enterprise Security Policy is an essential part of an information security program because doing so encompasses a person's factor of data security. It provides organizations an effective way to coach employees on acceptable system usage, corporate conduct and overall information security. It is one in the first measures in enforcing information security; therefore, it istypically shown employees during new hire training. Most organizations require new employees to learn and sign an Enterprise Security Policy before they're granted use of any corporate voice or data communication system.
The followingexample is definitely an Enterprise security policy designed for employees and business partners. It illustrates the way a security policy can communicate acceptable system usage while promoting information security. This security policy is meant for informational purposes only.
The primary reason for this Security Policy is always to inform employees and non-employees doing work for or with Company Name assets of these shared responsibilities to insure the safety of Company Name systems and corporate data. InfoSec is to blame for auditing and policy compliance. Human Resources is accountable for ensuring that each one employees and non-employees being employed by or with Company Name assets have read and signed this Security Policy before they gain usage of any Company Name voice and data communication systems.
This Security Policy applies to every one employees, and non-employees at Company Name. This policy applies to all or any equipment and assets which can be owned or leased by Company Name.
All voice and data communication systems and related transmitted information, including and not limited to computer equipment, software, systems, storage media, network accounts providing e-mail, internet browsing and FTP, are definitely the property of Company Name. Company Name has got the right to monitor and review using of all voice and data communication systems anytime. These systems are to be employed for business purposes serving the interests of Company Name.
Human Resources purpose is to produce new hire training, to convey a security awareness program, as well as ensure that most employees and non-employees have read and signed this Security Policy before they gain assess to the Company Name systems. This department also makes sure that up-to-date policies are often available to employees.
Management makes sure that all personnel have reviewed this insurance policy and are in compliance and are also to contact InfoSec immediately in case a policy violation is discovered.
InfoSec develops and maintains security policies, identifies and deploys automated security controls and audits for policy compliance.
An employee should review this plan and all referenced policies herewith to keep up compliance.
Unauthorized Networks Wireless, Modems
Physical security can be an essential portion of Company Name information security program. Physical security forms the premise for all other security efforts, including data security. Company Name employs physical security controls for the employees and assets. These controls need to be followed by all Company Name employees:
Wear your badge by any means times throughout company property.
Lock work door or cubicle storage if you leave your location.
Lock your personal machine when stepping from your work area.
Log off your workstation in the end in the working day.
Escort, observe and supervise guests because of their entire visit.
Watch out for tailgaters. Tailgaters wait for the authorized person to penetrate a controlled area including with a locked door then follow them through the door.
Shred or elsewhere destroy all sensitive information and media in the event it isno longer necessary.
Do not allow one to add hardware or software for a computer without right authorization.
Do notallow the removal of the corporate assets without making certain the person removing it offers proper authorization.
Report suspicious activities for a manager.
Internet usage is provided as being a business service to the purpose of supporting Company Name business activities and occasional personal use as defined inside the Acceptable Use Policy. Information found for the Internet might not be safe and ought to be considered suspect until confirmed with a reliable source. All Internet access is monitored and logged.
Corporate email access is provided as being a business service to the purpose of supporting Company Name business activities as defined inside the Acceptable Use Policy. Email is just not a secure medium and care needs to be taken with regard on the information submitted email. Accessing personal email systems like Hotmail, Yahoo, or Gmail is prohibited.
Employees may have having access to confidential details about the Company, our employees or clients. With approval of management, employees could use email to speak confidential information to those which has a need to know. Such email have to be labeled Confidential. When in doubt, avoid the use of email speak confidential material. All email activity is monitored and logged.
Viruses, worms and Trojan horses are samples of malware programs that induce significant injury to Company Name data and resources. They can destroy, alter or disclose confidential information in a very variety of ways and damage the trustworthiness of Company Name and also the reputation and credibility of Company Name employees. Company Name employs anti-virus controls because of its computers and employees as defined inside Acceptable Use Policy.
Ensure how the corporate standard anti-virus software packages are installed on desktop and notebooks.
Employees will not employ a computer without anti-virus software on Company Names network, nor can they disable it.
Do not open any email attachments from a mystery, suspicious or untrustworthy source. Delete these attachments immediately. Then double delete them by emptying your Trash.
Logs analysis tools will parse records from multiple sources and protect the main log data from the event log records are widely-used in legal proceedings.
Log retention requirements are governed from the Record Retention Policy.
Log Disposal requirements are governed through the Media Sanitization Policy.
This policy will likely be reviewed annually.
Any employee found to possess violated this policy can be subject to disciplinary action, as much as and including termination of employment.
This section reviews incident response capabilities and introduces a good example Incident Response Policy. The section begins using a brief summary of incident response capabilities with an introduction to NIST Special Publication 800-61 and concludes having an example Incident Response Policy. Incident Response is really a field unto itself plus a detailed report on its principles, processes, and approach is past the scope in this book. This section shows the significance of incident response capabilities, introduces additional references and shows how Incident Response concerns an ORacle private cloud.
Even with all the most sophisticated, state in the art security systems and effective policies, security incidents will occur. The most common security incidents are viruses, malware, laptop theft and employee network abuse. Less common security events are denial of service attacks, sabotage, intellectual proprietary theft, fraud and system penetration from external sources. Sooner or later, every organization will have to respond to your security incident. A quick, well orchestrated response will minimize loss and damage; on the other hand, a negative response you could end up financial, legal, and public realtions problems.
An Incident Response Policy is employed to define how a corporation responds to security incidents. It is undoubtedly an action oriented policy that isused to produce guidance to quickly detect security incidents, minimize loss, mitigate exploited weaknesses and rapidly restore services. The majority in the Enterprise Architecture policies reviewed with this book happen to be passive policies that offer guidance with appropriate systems usage, technology standards, system design, system configurations and auditing. An Incident Response Policy is definitely an action oriented policy that will require quick and efficient execution to be able to protect an organizations assets.
In relation to its Oracle VM, security incidents may appear at the hypervisor and virtual machine layers. An example of some from the incidents that originate from your hypervisor and virtual machine layers are malware infection, network abuse, sabotage, intellectual proprietary theft and fraud. These varieties of security incidents are generally discovered by technical or administrative security controls, an audit or even an employee. When one of these brilliant security incidents is detected, an Incident Response Policy may be the primary administrative control utilized to mitigate damages.
Organizations that should comply with regulatory mandates must undergo regular audits to validate incident response capabilities. A variety of widely adopted guidelines might be used to assist organizations to understand how to implement incident response capabilities. Two examples ofguidelines are ISO/IEC 17799 section 13 and NIST Special Publication 800-61.
The NIST Special Publication 800-61 can be a free, 148-paged Computer Security Incident Handling Guide which containseight chapters and ten appendixes. The goal of NIST Special Publication 800-61 is always to assist organizations to ascertain computer security incident response capabilities. It is undoubtedly an in-depth document that is certainly widely adopted and utilised in both the public and private sectors to implement incident response capabilities.
Organizing a pc security incident response capability.
Establishing incident response policies and procedures.
Structuring an incident response team.
Handling incidents from initial preparation throughout the post-incident lessons learned phase.
Handling specific varieties of incidents.
The following Incident Response Policy defines how a company responds to security incidents. The example policy starts using a Purpose and Scope statement then proceeds together with the policy. This policy was created for informational purposes only.
This reason for this policy is always to define a proper reporting and response procedure for being followed when giving an answer to security incidents. Implementing formal reporting and response procedures makes certain that information security events are communicated inside a manner allowing timely corrective action to become made while applying a regular approach for the management of data security incidents.
This policy applies to every one employees and non-employees being employed by or with Company Name.
Any potential violation of Federal law, State law, or Company Name policy involving an Information Technology IT asset.
A breach, attempted breach and other unauthorized entry to Company Names IT asset.
Any Internet worm, virus, Denial of Service DoS attack or related incident.
Any change inside a computer system that disables or defeats security precautions.
Any failure in network or computers that disrupts IT services.
Any employee or non-employee who violates policy.
A security incident that needs unauthorized physical access with a building or secure location, physical threat, imminent danger or personal safety issue.
An actual or suspected security incident that needs unauthorized usage of information systems.
Excluding the steps outlined below, it is critical that all investigative or corrective action be utilized only by InfoSec personnel. When faced using a potential security incident, employees and non-employees should do the subsequent if the incident involves a compromised computer:
Do not change the state with the computer system.
The pc should remain on and all of currently running computer programs needs to be left out of the box.
Do not shutdown or restart laptop computer.
Immediately disconnect the computer through the network by taking out the cable in the back with the computer.
Report the safety incident to InfoSec.
InfoSec staff will first determine if your Security Incident justifies sophisticated incident response. In cases where a Security Incident doesn't require an incident response, the situation is going to be forwarded towards the appropriate section of operations in order that all technology support services required are rendered.
An incident response may consist of getting a critical system back online, gathering evidence, taking appropriate law suit against individuals, or perhaps some cases notifying appropriate ISPs or any other third parties of inappropriate activity received from their network.
Figure 2 shows the OracleUnbreakable Linux NetworkLogin screen.
On the Register a System Profile screen, type in the name to the profile, the hostname, nextusing your keyboard spacebar select orunselect the Include this information about hardware and network optiontosave or otherwise not save the hardware and networkdetails in theSystems Profile. U se the Alt step to select the Next tab. Once the Next tab is selected, press the Enter step to proceed.
Note: The information gathered through the system profile step is stored in your user profile in the Oracle Unbreakable Linux Network.
Figure 3 shows the Register a System Profilescreen.
Step 4. Register a System Profile Packages
On the Register a System ProfilePackages screen, utilizing your keyboard spacebar select orunselect the Include RPM packages installed within this system inside my Systems Profile optionto save you aren't save the RPM packages placed on thesystem in theSystems Profile. Use the Alt answer to select the Next tab. Once the Next tab is selected, press the Enter answer to proceed.
Figure 4 shows theRegister a System Profile - Packages screen.
Step 5. Send Profile Information towards the Unbreakable Linux Network
From the Send Profile Information towards the Unbreakable Linux Network screen, accept the defaults and make use of the Alt critical for select the Next tab. Once the Next tab is selected, press the Enter factor to proceed.
Figure 5 shows theSend Profile Information on the Unbreakable Linux Network screen.
On the Review Subscription Details screen, evaluate the subscription details, and make use of the Alt step to select the OK tab. Once the OK tab is selected, press the Enter answer to proceed.
Figure 6 shows the Review Subscription Details screen.
On the FinishRegistration screen, utilize Alt critical for select the Finish tab. Once the Finish tab is selected, press the Finish critical for close of the question.
Figure 7shows the FinishRegistration screen.
The Oracle Linux host is successfully registered.
Access ULN, enable YUM, and select RPM channels
Installing Apache in the Unbreakable Linux Network is accomplished by typing these command.
Once Apache is installed, configure Apache to automatically begin by typing:
Next, start Apache by typing:
Now, with Apache installed and ruuning, test Apache by pointing an online browser on the fully qualified website name FQDN or perhaps the IP address from the Apache Web server. You should view the default Apache test page as shown in Figure 8.
If you don notsee the default Apache test page, verify that iptables is blocking http traffic about the Apache host. Consider disabling iptables to find out Apache, as root type:
Next, as root, produce the yum repository base directory in/var/www/html by typing:
Access ULN, enable YUM, and select RPM channels
Once your yum server is registered, and Apache has become installed and configured, join to Oracle Unbreakable Linux Network and then click the Systems tab to permit yum and select RPM channels.From the Systems tab select youryum server gain access to its System Details page.
Figure 9shows the Oracle Unbreakable Linux NetworkHome page using the Systems tab highlighted.
From the Systems tab click youryum server to get into its System Details page.From the yumservers Systems Details page go through the Edit button, as shown in Figure 10.
Next, go through the Manage Subscriptions button, as shown in Figure 12.
From the Manage Subscriptions page simply select the Add ons channel for theyum server main system version. The Add ons channel is forced to install yum serverprerequisitepackages. In it Oracle Linux 6 Add ons x8664 wasselectsince the example yum server is Oracle Linux 6 x8664. Next, move all from the desired RPM channels through the Available channels window to your Subscribed channels window. The RPM channels listed within the Subscribed channels window will probably be downloaded toyour yum server while using the uln-yum-mirror script. The uln-yum-mirrorpackage can be found in theAdd ons channel. Next, click on the Save Subscriptions button to save lots of the changes, as shown in Figure 13.
Tip: Review the Channel Legend fordetails about each RPM channel.
The yum server is successfully setup while using the Oracle Unbreakable Linux Network.
The next step would be to install the yum server prerequisite packages, yum-utils for Oracle Linux 5 and 6, uln-yum-proxy for Oracle Linux 5, anduln-yum-mirror for Oracle Linux 6. As root type this command:
Tip: OCFS isn't going to factor disk space exhaustion including space for virtual machine files along with volume metadata.OCFS2 metadata can consume over6% of the OCFS2 volumes free disk space. Plan accordingly or once your OCFS2 volumes become 95% full they may go read only.
The third layer would be the virtual machine front-end storage including things like multiple guest storageoptions such asfile and Raw Device Mappings. Raw Device Mapping of SAN LUNs to individual guests for data/database files develop the absolute best performance in the two front-end storage storage options. In most cases, Raw Device Mappingsare the only option for high I/O workloads like Oracle databases.
Multipathing could be the technique of creating more than one physical path between server CPU and its particular storage devices. It brings about better fault tolerance as well as enhancement. By default Oracle VM uses the Open Source solution dm-multipath.
EMC Powerpath can supply as much as 20% better read and write performance when compared with dm-multipath.
Oracle VM runs on the total of five discrete networks; Server Management, Cluster Heartbeat, live Migration, Storage and Virtual Machines.
The exact amount of network interfaces for the Oracle VM server entirely is determined by your organizations business requirements and network and storage infrastructure capabilities. For example, an Oracle VM server with four 10G NICs, configured with two 802.1Q bonds could secure the most demanding network and storage requirements, with only four 10G NICs. By contrast, an Oracle VM server usingaccess ports/port-based VLANs or802.1Q tag-based VLANSon a 1G copper network, could easily use 8 or even more NIC ports to satisfy theminimumnetwork requirements.
Each Oracle VM server pool have to have a discrete network for your Server Management, Cluster Heartbeat, live Migration, Storage and Virtual Machines. Isolating the Cluster Heartbeat, live Migration and Storage networks is important to protect the servers from OCSF2 heartbeat interruptions that can induce pool members to fence in the pool and reboot.
Each Oracle VM server ought to be assigned a distinctive IP address around the Server Management, Cluster Heartbeat, live Migration and Storage network.
Oracle VM server pools should be made with excess RAM chance to accommodate the memory requirements of virtual machines which could migrate or start any pool member.
Oracle VM server isn't going to support memory oversubscription, so that an Oracle VM server cannot accept a DRS, Live Migration or HA requests unless the server has available RAM for that virtual machines. Having excess RAM on each Oracle VM server becomes necessary for growth, Distributed Resource Scheduling, Live Migration and HA.
Contemporary CPUs from Intel and AMD have NUMA architectures. NUMA is short for Non-Uniform Memory Access. With NUMA each physical CPU pCPU are going to be assigned a local memory. An assigned processor-memory pair is known as a NUMA node. Local memory access from CPUs around the same socket should have significantly lower latency than remote memory access from CPUs using a different socket.
Oracle VM supports NUMA utilizing a Xen feature called NUMA aware scheduling. NUMA aware scheduling will assign a virtual machines vCPUs virtual CPUs into a NUMA node to be a NUMA client. If a virtual machine has multiple vCPUs, the NUMA scheduler will forever assign the virtual machines vCPUs into a single NUMA node to keep up memory locality. For example, an Oracle Database virtual machine with 32 vCPUs used on a single NUMA node with 20 threads can be oversubscribed. CPU-bound workloads, including Oracle Databases, must not be on Oracle VM servers with oversubscribed CPUs.
If your supporting virtual machines with additional vCPUs than its NUMA node, disable NUMA.Xen NUMA aware scheduling will place a virtual machine with 32 vCPUs over a single NUMA node, even when the node will not have 32 cores or threads, essentally oversubscribingthe virtual machines vCPUs.
The security controls utilized to secure Oracle VM are similar on the security controls familiar with protect your existing physical and virtual IT resources. As with physical and virtual IT resources, securing Oracle VM is dependent about the security posture of each one of its components, from the structure, hardware, hypervisor, network, and storage towards the virtual machine operating systemsand installed applications. In short, if this company has a burglar alarm policy for virtualization, networking, storage, os's and applications, the safety policies could and needs to be applied to Oracle VM.
Security controls must be employed using industry standard frameworks and standards within the context in the organizations Enterprise Architecture EA. Organizations utilize their Enterprise Architecture to comprehend how Oracle VM fits inside their information system. An Enterprise Architecture is articulated in diagrams and written policies comprise organizational standards as well as practices to plan, build, run, and monitor technologies, including Oracle VM.
Enterprise Architecture has well defined principles and procedures and an approach that generates an intensive, layered policy infrastructure accustomed to communicate managements goals, instructions, procedures, and a reaction to laws and regulatory mandates. A policy infrastructure includes written tier 1, tier 2, and tier 3 policies that encompass people, systems, data, and data. Policies are separated into advanced policies reducing level standards, procedures, baselines, and guidelines.
Oracle VM policies typically fall inside layered policy infrastructure in the platform architecture domain. Platform architecture policies would be the foundation accustomed to manage the complete lifecycle of your Oracle VM environment.
This table outlines your decision points for Oracle VM Manager security controls. For decisions that depend on preexisting factors or specific organizational needs, the right best practice will probably be discovered inside the infrastructure assessment IA and gap analysis GA. The best practices really should be analyzed carefully and decisions must be made depending on organizational needs, existing architecture, and budget resource availability.
The Oracle VM Manager application hasn't been designed being an Internet facing application.If Internet access is often a requirement for Oracle VM Manager, VPN access really should be used gain access to the Oracle VM Manager GUI.
The Oracle VM Manager application hasn't been designed to get an Internet facing application.
With Oracle VM, accurate time is vital to maintain system stability because of time-sensitive cluster transactions between Oracle VM servers. Without accurate time, Oracle VM clusters might be brought to a total standstill.
A best practice is always to have two internal NTP servers on the local network to offer time services for internal systems and devices. Using internal time servers normalizes system event time-stamps over the Enterprise in addition to reduces NTP Internet bandwidth usage.
If internal time servers will not be an option, set-in the Oracle VM Manager hostsas the upstream NTP time hostto synchronize with upstream Coordinated Universal Time UTC sources along with provide time services to Oracle VM servers.
Up to Oracle VM Release 3.2 usedthe RAS proxy Remote Access Service java applet to proxy virtual machine console traffic from Oracle VM Manager towards the administrators Client PC. An Oracle VM Manager administrative account is usually a requirement to get into a virtual machines console.Any firewall between Oracle VM Manager andthe administrators Client PCconecting to some virtual machine console will need to have TCP port 15901 open for that RAS proxy.
Oracle VM Manager isn't going to support role based access control. All administrative users with access for the Oracle VM Manager GUI have root administrative entry to all with the objects managed by Oracle VM Manager, including all on the virtual machine consoles.
All Oracle VM administrative users have root usage of all in the objects managed by Oracle VM Manager. Virtual machine users such as DBAs and application administrators should only have usage of thier virtual machines, notroot usage of all with the objects managed by Oracle VM Manager.
If an Oracle VM Manager account is not a possibility for a user, one example is for DBAs, Opertaions. or application administators, Oracle VMrole based access control is usually configured usingEnterprise Manager Cloud Control.With Cloud Control, Roles might be assigned to limit having access to only select virtual machines, or read only acces totheOracle VM Manager objects.
The iptables service might be enabled on each Oracle VM Manager host by using a ruleset managed in/etc/sysconfig/iptables. In order to utilize Oracle VM Manager, the Core API as well as the Oracle Management Agent with iptables, it is essential to open tcp ports 7001, 7002, tcp-54321 or tcps-54322, 15901 and 3872 and also UDP 123.
Firewalls are definitely the first brand of defense in network security. Firewallsshould beused to filter network traffic between security domains.Host firewalls, for instance iptables, certainly are a fundamental a part of information security that protect hosts from attacks and intrusions.
Iptables failed connection logging needs to be enabled on each Oracle VM Manager host.
Failed connect logging can be a fundamental section of information security that enables detection of attacks and intrusions.
By default, Oracle Linux and Oracle VM permit ssh access with all the root super user account.
Systems administrators should access the Oracle VM Manager and Servers withnon-root individual user accountsand use sudoto perform selected administrative tasks.Sudo represents either substitute user do or super user do.
Root ssh access must be disabled for the Oracle VM Manager host. Sudo should must be used to configure fine-grained permissions to permit administrative users to do selected administrative tasks with logging.