Build process for machines being installed on our Internet segments

For some time our IES process has specified that no machine can be attached to our Internet segments without having its IES documentation signed off. This policy has always ignored the minor detail of how an internal customer is supposed to actually build, test and document the machine before they actually get to attach it to the Internet.

So, Glenn, Tony and I sat around one evening last week and hammered out what a reasonably flexible and responsible process ought to be for doing so, and I've summarized a draft of it below.

Process for building and testing a new Internet-attached machine:

  1. Customer identifies new requirement for an Internet machine.

  2. Notify Jim Chapdelaine and provide functional description, preliminary application design and intended implementation plan (Jim will forward to the IES team).

    Note: In steps #3 through #7, the machine(s) involved are to be disconnected from the network when not being actively worked on.

  3. IES Team and customer to design interim security strategy. Default strategy is as follows (modifications to be negotiated together) : Build machine's OS If machine will be directly accessible from the Internet, install SNG/Firewall product, but don't activate filters yet Install aixcops and lsattack (obtain from http://w3.security.ibm.com) Ensure password rules are followed (we need to provide a pointer here) Turn off all daemons Ensure netstat -a runs clean Ensure inetd.conf is clean (basically, everything should be commented out or explained fully) Ensure inittab is clean (Glenn's going to provide a sample) Stop srcmaster from running Configure needed daemons directly

  4. Notify IES team that machine has been built and above guidelines have been implemented; request required network infrastructure changes (opening of router and gateway filters, etc.)

  5. Install, configure and test application function

  6. Lockdown Activate SNG filters (if machine is on Public network) Turn off all ports Turn on only those ports required for the application to function Ensure application function is in final operational status Complete IES documentation requirements

  7. Final review and signoff with IES team

  8. Production status

[ Almaden (Internal) | IBM Research (Internal) | My Home Page ]

[ IBM home page | Order | Search | Contact IBM | Help | (C) | (TM) ]