Building Servers as Appliances for Improved Security

Installing, configuring and maintaining hardened servers are core components of a defense-depth strategy when protecting computing infrastructure. A common hardening tactic is to disable unnecessary features, functions and capabilities; the underlying problem with this tactic is that dormant vulnerabilities can be awoken by simply re-enabling those services. Stripping down servers, through the minimization of bloated operating system platforms, is an effective means to counteract the possibility of enabling unnecessary or undesirable services - they are simply not installed. Commercial network appliances based on UNIX variants, such as load balancers and intrusion detection systems, continue to be deployed on minimized platforms to not only limit potential vulnerabilities, but also to improve system performance and reduce the need to patch. So if minimization is an effective means of hardening network appliances, shouldn't the same tactic be used when deploying servers? This paper will present minimization as a fundamental tactic when deploying hardened servers based on a popular Linux platform (CentOS/VM), and propose a methodology for identifying core functions and discovering necessary software dependencies.