Define the Initial Data-Center-to-Internet Traffic Security Policy
Define which data center servers can access which update
servers, certificate revocation servers, etc., on the internet.
Depending on your data center architecture, servers
in the data center may reach out to the internet to retrieve software
updates or to check server certificate revocation status. The data
center is a great place for adversaries to hide because security
plans often focus on user communication and overlook servers that
communicate with the internet. When data center servers initiate
communication directly with the internet, you need to protect against
several security risks:
—Attackers use legitimate applications
such as FTP or HTTP, or other methods such as DNS tunneling, to
steal data. Create an application whitelist security policy rule
that allows only the applications required for server updates so
that all other applications are blocked, even if they are legitimate
applications in other circumstances. Loose application rules present
opportunities to attackers.
Command-and-control (C2) using legitimate applications
data center servers are allowed to communicate with the internet
using legitimate applications that are not for software updates,
attackers could use those otherwise legitimate applications for
C2 activities. For example, allowing web-browsing on non-standard
ports creates opportunities for attackers. Servers should only be
allowed to communicate w/the internet using only the specific applications
required for software updates on their default ports, and no other
applications, even if those applications are legitimate and sanctioned
for other uses.
Downloading additional malware
—If an attacker compromises
a data center server, the malware on the server may download more
malware from the internet through a phone-home or other mechanism.
A strict whitelist rule that allows communication only with the appropriate
update servers using only the necessary update applications prevents
attackers from contacting websites that house malware and from exfiltrating
data. In addition, install Traps on the data center servers (and
all of your endpoints) to prevent malware that already resides on
a server from executing.