 |
» |
|
|
|
Security of servers, networks, and data has never
been more important than it is today. HP-UX has many tools for securing
your servers and data. For most HP-UX users, securing your servers and
data from unauthorized access ranges from important to critical. Unauthorized
access (whether malicious or accidental) is only one of many threats
to the integrity and security of your data. Others include: Accidental destruction or removal of data by poorly
behaving software Accidental destruction or removal of data by authorized users Other hardware failures that corrupt data Other hardware failures that prevent access to data Physical plant and equipment destruction (for example
from fires, floods, and earthquakes)
There are HP-UX based tools to protect your data
from all of these potential threats. Protecting Against Unauthorized Access to Your Servers and
Data | |
HP-UX can be configured to run in either of two
modes: - Standard Mode
Offers traditional security features found in UNIX
systems (accounts, groups, file access privileges, and so on). Passwords
are stored (encrypted) in the /etc/passwd file. In addition to the traditional security features mentioned previous,
HP-UX running in standard mode has an extended set of security features
(for example HP-UX Shadow Passwords) that significantly increase the
security of your system without having to convert it to Trusted Mode.
These additional features are fully explained in the HP-UX
11i Security Containment Administrator’s Guide.
Additional security information is located in the HP-UX
System Administrator’s Guide: Security Management document. - Trusted Mode
Offers a complete C2-level set of security features.
Passwords are not stored in the /etc/passwd file,
but are instead stored in /tcb/files for additional
security.
Protecting Against Data Loss | |
The best way to protect your data against loss
is to have another copy of the data somewhere when the primary copy
is lost. There are many technologies that will help you make those
extra copies. These include: - Backups
There are many ways in HP-UX to backup your data: You can backup your data to tapes, optical media,
or disk archive files on alternate devices. Some utilities that will
allow you to do this include: HP OpenView Storage Data Protector Software, part
of the HP OpenView Suite of products, automates high performance backup
and recovery, from disk or tape, over unlimited distances, to ensure
24x7 business continuity and maximize IT resource utilization. For
complete details on the HP OpenView Suite, see http://openview.hp.com. The pax command extracts, writes,
and lists archive files and copies files and directory hierarchies.
A more contemporary utility, pax performs basically
the same functions as the older (still available) utilities cpio and tar. For details about pax, see pax(1). tar (called the “tape archiver”) is equally adept at writing to disk archive files or optical media
as it is at writing to magnetic tape media. For details about tar, see tar(1). vxdump copies to magnetic tape
all files in a VxFS file system that have been changed after a certain
date. See vxdump(1M)
You can copy important files to another system using ftp, rcp, or (for secure copies) sftp. To protect the copies from being destroyed if physical
damage or theft occurs at the site of the primary data, be sure to
keep at least one copy of critical data at an alternate location.
Don’t forget to physically protect tapes that contain unencrypted
data. HP Openview Security Data Protector can encrypt backups.
- Disk Mirroring
Disk mirroring writes multiple copies of data to separate
(physical or logical) devices simultaneously. If you are using LVM (HP’s Logical Volume Manager),
you will need to install the optional product, MirrorDisk/UX to use
disk mirroring. MirrorDisk/UX supports up to three copies of data
if you are using LVM with Version 1 volume groups, and up to six copies
of data if you are using LVM with Version 2 volume groups. If you are using the VERITAS Volume Manager, the ability to
mirror your root volume group is built in to the base product. By
licensing the full version of the VERITAS Volume Manager, you gain
the ability to mirror all your volume groups, up to 32 copies of the
data. - RAIDs and Surestore Disk Arrays
Data redundancy can also be accomplished
at the hardware level. RAIDs (redundant arrays of inexpensive disks)
and HP Surestore Disk Arrays have the capability to make multiple
copies of data written to them, and some even have multiple controllers
for redundancy of access should a controller fail. | | | |  | NOTE: RAID levels that include parity disks are able to reconstruct
lost data on the fly until a failed disk is repaired or replaced.
This is almost as good as multiple copies of the data, however for
exceptionally important data, be exceptionally safe by having a copy
of the data. | | | | |
Protecting Against Hardware Failure | |
Depending on the specific hardware you have (server
types, storage devices, and so on), HP-UX 11i version 3 offers numerous
ways of protecting your computing operations against hardware failure.
Here are some key features to consider: - Serviceguard
For mission critical installations, Serviceguard takes
redundancy an extra step by having multiple servers connected to external
disks or arrays. If one server fails, Serviceguard can switch to a
stand-by server capable of carrying on the functions of the failed
server while the original is repaired. - Persistent Device Special Files
HP-UX 11i version 3 introduces a new type of device
special file called a persistent device special
file. Unlike legacy device special files[10] that address devices by the hardware path to
them, persistent device special files use unique
identifiers built into (or associated with) supported devices to address them. This means that multiple hardware paths can be
used to address the same device, preventing single points of failure
in interface cards/slots. - Online Addition and Replacement
Online Addition, Replacement, and Deletion (OL*) is
an HP-UX feature that allows for the addition, replacement, and deletion
of PCI / PCI-X cards (adapters) while a system is running (without
requiring a reboot). This feature enhances overall high-availability
since the system can remain active while an I/O adapter is being added
or replaced. When combined with other high-availability products,
such as Serviceguard, system availability is significantly improved. Failed devices that support PCI OL*, if not critical to your
operation, can be replaced or removed. Online Replacement suspends the driver
instance associated with the failed card and powers down the slot
so the card can be replaced with a new one of the same type. Then power can be restored to the slot and new card, and the driver
resumed. Online Deletion removes from the running kernel the driver instance associated with the failed card and powers down
the slot so the card can be removed. You can then (optionally) install
a new card of the same or different type using Online Addition.
|
Printable version
