Data center servers may obtain software updates or certificate
status from servers on the internet. The greatest risk is connecting
to the wrong server. Create strict allow rules for updates to limit
the reachable external servers and the allowed applications (on
default ports only). This prevents infected data center servers
from phoning home and prevents data exfiltration using legitimate
applications such as FTP, HTTP, or DNS on non-standard ports. In
addition, use the File Blocking profile’s
to block outbound update files so you only allow downloading for
software update files.
For each rule, apply best practice
Security profiles and configure
Log at Session End
Work with engineering
and other groups that update software to log and analyze web browsing
sessions to define the URLs to which developers connect for updates.
These examples allow engineering
servers to communicate with CentOS update servers (
access to external DNS servers at the internet gateway to prevent
DNS traffic from going out on the internet to public servers. Allow
access only to sanctioned DNS servers and use the DNS Security service to prevent connections
to malicious DNS servers.
Allow connecting to an internet Online Certificate Status Protocol (OCSP)
Responder to check the revocation status of authentication certificates
and ensure they are valid. When you configure a certificate profile on the
firewall, set up CRL status verification as a fallback method for
OCSP in case the OCSP Responder is unreachable.
Create data-center-to-internet Decryption policy
rules to decrypt the traffic allowed in the preceding Security policy
A compromised update server could download malware and
propagate it through the software update process, so decrypting
traffic to gain visibility is critical. Because only service accounts
initiate update traffic and update traffic has no personal or sensitive
information, there are no privacy issues.
traffic to OCSP certificate revocation servers because the traffic
usually uses HTTP, so it’s not encrypted. In addition, SSL Forward Proxy
decryption may break the update process because the firewall acts
as a proxy and replaces the client certificate with a proxy certificate,
which the OCSP responder may not accept as valid.
Decrypt traffic between
data center and update servers. These two examples decrypt the CentOS
and Windows update traffic allowed by the analogous Security policy
rules in the preceding step.
Decrypt traffic between data center servers and NTP and DNS
update servers. This example decrypts the update traffic allowed
by the analogous Security policy rule in the preceding step.