CyberSecurity
The ServiceFrame Infrastructure Product is designed and implemented to help prevent a system from being compromised. This paper describes how the product, OS, network, and system servers can work together to achieve better overall security.
A server is software that uses the ServiceFrame Infrastructure to communicate with servers on other computers within a system. A server creates six TCP/IP connections to a sfLocalHub program on the computer where it resides.
A server computer is connected to two independent hub and spoke networks. A hub is where program sfMainHub resides. The hub and sfMainHub accepts six TCP/IP connections from a sfLocalHub program instance.
A hub supports standby hub computer and sfMainHub instances. A TCP/IP connection is created between each hub instance so that they can agree on only one active instance that accepts TCP/IP connections from a sfLocalHub.
Some servers will likely support communication to functions outside of the system. These servers should be grouped together onto a set of server computers that permit communication with the outside world.
Administration of computers within a system should be placed on a few system server computers that communicate via the ServiceFrame Infrastructure with all other computers within the system.
The OS and network can and should be configured to limit which computers can initiate or accept a TCP/IP connection by port number. A hub computer accepts connections from server computers on one unique configured port. A hub computer initiates and accepts connection between hub computers on another unique configured port.
A server computer initiates connection to a hub computer on a unique configured port. A server computer, with servers communicating with the outside world, initiates or accepts connection on a unique port per server created functionality.
If the functionality of all server programs omits remote program download and execution then a network path for virsus program infection does not exist.
Most server computers will be configured such that they can only create a TCP/IP connection to a hub computer and can not accept a TCP/IP connection. If a virus program infects such a computer then it can not communicate with the outside world.
What about denial of service attacks? Such an attack requires public knowledge of a service IP address. A system can limit this situation to only new users. Each authorized user can be assigned their own private IP address to a server. Furthermore, such assigned IP address can automatically change over time to limit the possibility of an attacker finding out or guessing such an address.
The popularity of a denial of service attack will likely decline over time as affecting only the relatively infrequent occurrence of a new user registering for access has minimal disruption such that no news media will bother to report such an incident.
A server is software that uses the ServiceFrame Infrastructure to communicate with servers on other computers within a system. A server creates six TCP/IP connections to a sfLocalHub program on the computer where it resides.
A server computer is connected to two independent hub and spoke networks. A hub is where program sfMainHub resides. The hub and sfMainHub accepts six TCP/IP connections from a sfLocalHub program instance.
A hub supports standby hub computer and sfMainHub instances. A TCP/IP connection is created between each hub instance so that they can agree on only one active instance that accepts TCP/IP connections from a sfLocalHub.
Some servers will likely support communication to functions outside of the system. These servers should be grouped together onto a set of server computers that permit communication with the outside world.
Administration of computers within a system should be placed on a few system server computers that communicate via the ServiceFrame Infrastructure with all other computers within the system.
The OS and network can and should be configured to limit which computers can initiate or accept a TCP/IP connection by port number. A hub computer accepts connections from server computers on one unique configured port. A hub computer initiates and accepts connection between hub computers on another unique configured port.
A server computer initiates connection to a hub computer on a unique configured port. A server computer, with servers communicating with the outside world, initiates or accepts connection on a unique port per server created functionality.
If the functionality of all server programs omits remote program download and execution then a network path for virsus program infection does not exist.
Most server computers will be configured such that they can only create a TCP/IP connection to a hub computer and can not accept a TCP/IP connection. If a virus program infects such a computer then it can not communicate with the outside world.
What about denial of service attacks? Such an attack requires public knowledge of a service IP address. A system can limit this situation to only new users. Each authorized user can be assigned their own private IP address to a server. Furthermore, such assigned IP address can automatically change over time to limit the possibility of an attacker finding out or guessing such an address.
The popularity of a denial of service attack will likely decline over time as affecting only the relatively infrequent occurrence of a new user registering for access has minimal disruption such that no news media will bother to report such an incident.