Define the Initial Data-Center-to-Internet Traffic Security
Define which data center servers can access which update
servers, certificate revocation servers, etc., on the internet.
Depending on your data center architecture, servers
in the data center may reach out to the internet to retrieve software
updates or to check server certificate revocation status. The data
center is a great place for adversaries to hide because security
plans often focus on user communication and overlook servers that
communicate with the internet. When data center servers initiate
communication directly with the internet, you need to protect against
several security risks:
—Attackers use legitimate applications
such as FTP or HTTP, or other methods such as DNS tunneling, to
steal data. Create an application security policy rule allow list
that allows only the applications required for server updates so
that all other applications are blocked, even if they are legitimate
applications in other circumstances. Loose application rules present
opportunities to attackers.
Command-and-control (C2) using legitimate applications
data center servers are allowed to communicate with the internet
using legitimate applications that are not for software updates, attackers
could use those otherwise legitimate applications for C2 activities.
For example, allowing web-browsing on non-standard ports creates
opportunities for attackers. Servers should only be allowed to communicate w/the
internet using only the specific applications required for software
updates on their default ports, and no other applications, even
if those applications are legitimate and sanctioned for other uses.
Downloading additional malware
—If an attacker compromises
a data center server, the malware on the server may download more
malware from the internet through a phone-home or other mechanism.
A strict allow rule that allows communication only with the appropriate
update servers using only the necessary update applications prevents
attackers from contacting websites that house malware and from exfiltrating
data. In addition, install Cortex XDR Agent on the
data center servers (and all of your endpoints) to prevent malware
that already resides on a server from executing.