Reflections - TechDragon9/SEC440-01-Tech-Journal GitHub Wiki

Availability and Redundancy Security (10/17/2021)

Problem 1: While not done quite yet, the databases for redundancy share the same username and password as each other and that may not be well protected.

Solution 1: There could be methods that have databases like MySQL encrypt data such as passwords and usernames so they are better protected. It might also be helpful to think of a "two-factor" authentication solution if MySQL is compatible to such a possibility.

Problem 2: Thinking back on it, Two-factor Authentication was only used on Web01 for ssh from the WAN (xubuntu-wan). This means ssh access to Web02, if needed for whatever reason, is not as secure (or redundant for that matter).

Solution 2: Investigate how haproxy could have ssh properties (or if it even has the ability to allow ssh to web servers) and/or add a rule in vyos machines that allow for ssh to Web02.

Problem 3: The rules on vyos1 and vyos2 currently do not restrict traffic to the LAN network connection, thus meaning possible viruses and corrupted webpages can find their way to the xubuntu-lan machine (though this is to be expected since the networks are not separated by zones yet).

Solution 3: Create or research a possible rule for vyos machines that restricts what xubuntu-lan has access to (or really the entirety of LAN since mgmt will also eventually be on LAN and that machine NEEDS to be secured). Another possibility is just make the vyos machines log anything and everything that the LAN network accesses on the WAN side (internet) to make sure admins are aware of what those machines are doing (and log any sudden errors that come up).