Security Policy
Support of Operating System Updates for Server Applications
Version: 1.20
Date: 2010-12-23
OpenScale Baseline Security Office
Siemens Enterprise Communications Group
Communication for the open minded
Siemens Enterprise Communications
www.siemens-enterprise.com
Security Policy
Support of Operating System Updates for Server Applications
1 Overview and Scope
This security policy covers application servers where software applications provided
by Siemens Enterprise Communications Group (hereinafter referred to as SEN) are
installed.
It describes how operating system updates are tested and released by SEN for their
application server products.
Products of SEN, where the operating system is provided as integral part of the
product delivery (for example VoIP phones, gateways, or software appliances like
the OpenScape Voice server) are not affected by this policy.
Customers of SEN usually define their own security policies and standards, where
the installation of security updates for the servers' operating systems is a mandatory
requirement. The updates need to be applied in a timely manner to protect the
server from being exploited by viruses, worms or other malicious attacks from the
network.
SEN explicitly recommends implementing best-practice security measures in the
customer's network. This also includes the installation of security updates as soon
as practical to the customer.
Note however, that
The installation of any operating system update may require compatibility tests
prior to their release for the application software.
The urgency of some operating system updates often requires the customer to
proceed in advance of advice or verification from the vendors of the software installed on the affected application servers.
This document describes how SEN addresses the oppositional requirements and
how SEN can continue to provide support and service for their products.
Version 1.20, 2010-12-23
Page 2
Security Policy
Support of Operating System Updates for Server Applications
1.1 History of Change
Date
2009-05-29
2010-03-31
2010-12-23
Version
1.00
1.10
1.20
What
Initial release
Update of Applicability Matrix
• Chapter 1.3: Update of Applicability Matrix
• Chapter 2.2: Clarification regarding the use of old
Operating System versions
1.2 Contents
1
1.1
1.2
1.3
Overview and Scope
History of Change
Contents
Applicability Matrix
2
3
3
4
2
2.1
2.2
2.3
Operating System Updates on Application Servers
Terminology and General Statement
Service Packs and Minor Versions
Security Updates and Critical Updates
5
5
5
6
Version 1.20, 2010-12-23
Page 3
Security Policy
Support of Operating System Updates for Server Applications
1.3 Applicability Matrix
In the current version, this policy applies to the following SEN server application
products (hereinafter referred to as 'product'):
SEN Product Name
Major
Version
HiPath 5000 RSM
HiPath 4000 Manager
HiPath 4000 SoftGate
HiPath Accounting Management
HiPath CAP
HiPath DAKS
HiPath Display Telephone Book
HiPath Fault Management
HiPath License Management (HLM)
HiPath ProCenter Agile/Standard
HiPath QoS Management
HiPath User Management
HiPath Trading
OpenScape Accounting
OpenScape Alarm Response Economy
OpenScape Alarm Response Professional
OpenScape ComAssistant
OpenScape Contact Center Agile/Enterprise
OpenScape Contact Center Campaign Director
OpenScape Contact Center Extensions
(includes OpenScape Concierge)
OpenScape Deployment Service
OpenScape ILA (Identity Lifecycle Assistant)
OpenScape Media Server
OpenScape Office HX
OpenScape UC Application
OpenScape Voice Assistant (incl. Common
Management Portal, RG8700 Assistant, DLS)
OpenScape Voice Survival Authority (if deployed standalone)
OpenScape Voice Trace Manager
OpenScape Web Collaboration
OpenScape Xpressions
OpenScape Xpert
SESAP
V7, V8
V4, V5, V6
V5, V6
V2.0
V3.0
V2.1, V3.0
V9.0
V4
V1
V6.5
V1.0
V2.0, V3
V3
V1
V1
V3
V2.0
V7.0, V8
V6
V1
V2.0, V3
V1
V3, V4
V2
V3, V4
V3, V4, V5
Server Operating System
Microsoft
SuSE
other
1
Windows
Linux
X
X
X
X
X
X
X
X
X2
X
X
X3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
V3, V4, V5
V1, V2
V1
V5, V6
V4
V1
X
X
X
X
X
X
X
1
Novell SuSE Linux Enterprise Server or openSUSE Linux
When installed on HiPath 4000 Manager
3 openWRT, Solaris
2
Version 1.20, 2010-12-23
Page 4
Security Policy
Support of Operating System Updates for Server Applications
2 Operating System Updates on Application
Servers
2.1 Terminology and General Statement
Various vendors of Operating Systems may use different terminology for their various types of software updates. The main distinction required in this context is between:
• Service Packs (or Minor Versions):
Are cumulative sets of security updates, other updates and corrections, but also
include new operating system features or design changes.
• Security Updates (often also called Security Patches or Hotfixes):
Individual fixes for specific vulnerabilities, typically released to address a specific urgent security issue or defect.
A similar category is called Critical (or Mandatory or Important) Updates. They
follow the same update procedures as Security Updates. Instead of fixing potential vulnerabilities, they relate to other errors which require to be fixed as
well to keep the Operating System running.
As a general statement, SEN assumes that future operating system updates maintain backward compatibility to older versions of the files and executables being updated. Based on that fact, SEN assumes low risk with installing these updates.
However, SEN strongly recommends that customers perform functional and
performance testing prior to deploying these updates in a production environment.
As part of product planning and the System-, Release- and Regression-Tests, SEN
reviews and tests Operating System updates on a regular basis. The general proceeding is as follows.
2.2 Service Packs and Minor Versions
The list of supported Operating Systems (e.g. Microsoft Windows Server 2003/2008,
XP Professional, Vista Enterprise, Novell SuSE Linux Enterprise Server, openSuSE)
and supported service packs (SP<n>) or versions (<major>.<minor>) is part of the
administration manual of every SEN product.
Updates at short notice are contained in the release notes. The list may change with
every major, minor or fix release of the product. The minimum Operating System
version required to run the application does not change within a product’s major
release, but every new major release of the product may remove older Operating
System versions from the list.
Therefore, if more than one service pack or version is listed, SEN recommends using
always the latest, the product officially supports.
As soon as new service packs or versions are released by the operating system vendor they are tested to achieve official support. This is part of product-individual
planning. Their official support may be declared:
Version 1.20, 2010-12-23
Page 5
Security Policy
Support of Operating System Updates for Server Applications
Based on an already released product version (i.e. by update of the release note).
As part of a new major, minor or fix version of the product.
Customers should use their normal SEN support process to ask for plans when a new
service pack or minor version is planned to be released by an individual product.
2.3 Security Updates and Critical Updates
All System-, Release- and Regression-Tests are performed using the latest updates
released by the Operating System vendor until the time the respective test was
planned and executed.
SEN recommends using always the latest updates released by the vendor. Their
installation does not void the customer's warranty or maintenance contract for the
product.
SEN also recommends functional and performance testing to be performed prior to
deploying these updates in a production environment.
If the installation or operation of an Operating System update causes the SEN product to malfunction, then the customer should:
Remove or disable the update to restore proper system operation.
The customer can, of course, choose to leave the update installed if, in their opinion, the risk of operating without it is higher than the cost of the malfunction.
Report the problem to SEN using the normal product support process.
Re-install or enable the update after investigation and advice from SEN.
This proceeding is supported by all releases of the products where regular service is
still offered.
Version 1.20, 2010-12-23
Page 6
Security Policy
Support of Operating System Updates for Server Applications
About Siemens Enterprise Communications Group (SEN Group)
The SEN Group is a premier provider of enterprise communications solutions. More than 14,000 employees in 80 countries carry on the tradition of voice and data excellence started more than 160 years ago with Werner von Siemens and
the invention of the pointer telegraph. Today the company leads the market with its "Open Communications" approach
that enables teams working within any IT infrastructure to improve productivity through a unified collaboration experience. SEN Group is a joint venture between the private equity firm, The Gores Group, and Siemens AG and incorporates
Siemens Enterprise Communications, Enterasys Networks, SER Solutions, Cycos and iSEC.
©Siemens Enterprise
Communications GmbH & Co. KG
For more information about Siemens Enterprise Communications, please visit www.siemens-enterprise.com
Status 03/2009
Communication for the open minded
Siemens Enterprise Communications
www.siemens-enterprise.com
Siemens Enterprise
Communications GmbH & Co. KG
is a Trademark Licensee of Siemens AG
The information provided in this brochure contains merely
general descriptions or characteristics of performance
which in case of actual use do not always apply as described
or which may change as a result of further development
of the products. An obligation to provide the respective
characteristics shall only exist if expressly agreed in the
terms of contract. Availability and technical specifications are subject to change without notice. OpenScape,
OpenStage and HiPath are registered trademarks of
Siemens Enterprise Communications GmbH & Co. KG.
All other company, brand, product and service names are
trademarks or registered trademarks of their respective
holders.
Printed in Germany.