Data center servers may obtain software updates or certificate
status from servers on the internet. The greatest risk is connecting
to the wrong server. Create strict allow rules for updates to limit
the reachable external servers and the allowed applications (on default
ports only). This prevents infected data center servers from phoning
home and prevents data exfiltration using legitimate applications
such as FTP, HTTP, or DNS on non-standard ports. In addition, use
the File Blocking profile’s
block outbound update files so you only allow downloading for software
For each rule, apply best practice Security
profiles and configure
Log at Session End
Work with engineering
and other groups that update software to log and analyze web browsing
sessions to define the URLs to which developers connect for updates.
These examples allow engineering
servers to communicate with CentOS update servers (
Allow connecting to an internet Online Certificate Status Protocol (OCSP)
Responder to check the revocation status of authentication certificates
and ensure they are valid. When you configure a certificate profile on the
firewall, set up CRL status verification as a fallback method for
OCSP in case the OCSP Responder is unreachable.
Create data-center-to-internet Decryption policy
rules to decrypt the traffic allowed in the preceding Security policy
A compromised update server could download malware and
propagate it through the software update process, so decrypting traffic
to gain visibility is critical. Because only service accounts initiate
update traffic and update traffic has no personal or sensitive information,
there are no privacy issues.
Don’t decrypt traffic to
OCSP certificate revocation servers because the traffic usually
uses HTTP, so it’s not encrypted. In addition, SSL Forward Proxy
decryption may break the update process because the firewall acts
as a proxy and replaces the client certificate with a proxy certificate,
which the OCSP responder may not accept as valid.
Decrypt traffic between
data center and update servers. These two examples decrypt the CentOS
and Windows update traffic allowed by the analogous Security policy
rules in the preceding step.
Decrypt traffic between data center servers and NTP and DNS
update servers. This example decrypts the update traffic allowed
by the analogous Security policy rule in the preceding step.