Best practice for COCCA Registry System architecture

From CoCCA Registry Services (NZ) Limited

Revision as of 10:48, 5 April 2015 by Cocca (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Introduction

The Registry system is the most important component at ccTLD, we should secure our Registry systems as much as possible. we can follow number of steps to secure our systems by implement number of technology at our systems.

Access Levels and Redundant

- It is not advisable to have more than two user accounts with "Systems Administrator" rights, you only need two; 1) a primary and 2) a backup in case you lock yourself out somehow.

- All "Sys Admin", "TLD Admin", "Zone Admin" and "Customer Service" accounts must have either GUI IP restrictions set or use two - factor tokens.

- Delete all redundant / test login accounts.

- Require all registrars to use two factor tokens or login from trusted IP addresses.

Registry Server Security

- The GUI and public - facing WHOIS server should be on SSL ( https://registry.nic.tld or https://whois.nic.tld ).

- The Registry GUI should be on a different IP address than the WHOIS server and only be accessible by registrars and registry staff from trusted IP addresses.

- The registry firewall should only allow public access on port 443 and 43 to the WHOIS IP address.

Registry Configuration

- Unless there is a compelling reason the domain “AuthCodes” should be left encrypted. This is a user preference and can be set registrar by registrar, the default is encrypted.

- Use CoCCA Super-lock feature for critical domains.

- Use DNSSEC, if this seem a challenge to implement contact Packet Clearing House ( https://pch.net ) for assistance.

- Only grant EPP access to registrars that request it and only from trusted IP addresses. This can be / should be set in the both the applicaion and your firewall.

General Suggestions

- Do not host mail servers, accounting systems, helpdesk software, public-facing websites with policy, public DNS servers and the like in the same environment as the registry server, certainly never on the same appliance. Host non-critical sites and applications on a vm in the cloud someplace ( so if they are compromised the registry is not ).

- Backup frequently locally and off-site, encrypt the backups ( this can be configured via the UI in the current versions ).

- Escrow the data in both the native CoCCA and ICANN gTLD formats with a trusted third party.

- Most importantly, treat everbody fairly so they are not "incentivized” to be mischievous...

Retrieved from "https://wiki.cocca.org.nz/mediawiki/index.php/Best_practice_for_COCCA_Registry_System_architecture"