IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 6.43 Use of redundant Windows NT servers
Initiation responsibility: Head of IT Section, IT Security management
Implementation responsibility: Administrators
Depending upon the availability requirements of data and applications, a
redundancy can be created with an acceptable amount of effort which prevents
a total loss of data. According to these requirements, parts of the stored data or
the complete data stock can be copied parallel onto several hard disks. If one
hard disk then fails, the data is not lost and users can continue working
without having to wait for re-installation of a backup.
According to the defined availability requirements, the systems can be laid out
in such a way that if a server fails, tasks can be taken over by one or more
other servers. However, care must be taken that the common stored data
remains consistent; this must also be ensured when single machines fail. In
this context considerable differences exist as regards the performance of
various redundancy concepts:
- A direct physical redundancy can be attained with RAID disk systems
(RAID: Redundant Array of Independent Disks). When choosing this
procedure, it must be borne in mind that the physical distance between the
single disks of a RAID system is subject to considerable restrictions, so
that in case of fire or similar damage, all parallel copies will be damaged to
the same extent. RAID systems are, therefore, no substitute for data
backup.
- By installing Windows NT clusters, parallel copies of stored data can exist
on different disks and under the control of different computers. By using
high-performance clusters with up to four servers, the number of server
systems can be reduced which in turn leads to a reduction of administrative
effort and thus an improvement in security.
- Replication of single directories allows data to be similarly distributed. But
there are no synchronisation mechanisms which allow data currently being
edited to be consistently copied in parallel. In this case, a failure of the
primary disk more or less always leads to considerable loss of data.
Implementation of replication services under Windows NT should,
therefore, remain restricted to those circumstances in which changes are
only made in one place. In any case, this should never be considered as a
substitute for a regular data backup.
To prevent failure of server computers, these must be laid out redundantly as
required. Many possibilities are available here from which the appropriate
alternative must be selected, depending upon the tolerable down time (MTD):
- If the tolerable duration of a failure amounts to half an hour, a separate
computer must be made available which takes over the tasks of the failed
server. To obtain access to the data of the failed server, its hard disk must
be switched over to the substitute computer.
- If failure is only tolerable for a few minutes, a cluster-system should be
installed which has access to all hard disks on all computers. The system
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000