Data-Center-to-Internet Traffic Policies
- Create data center-to-internet allow rules to protect connections to external servers.Data center servers may obtain software updates or certificate status from servers on the internet. The greatest risk is connecting to the wrong server. Create strict allow rules for updates to limit the reachable external servers and the allowed applications (on default ports only). This prevents infected data center servers from phoning home and prevents data exfiltration using legitimate applications such as FTP, HTTP, or DNS on non-standard ports. In addition, use the File Blocking profile’sDirectioncontrol to block outbound update files so you only allow downloading for software update files.For each rule, apply best practice Security profiles and configureLog at Session Endon theActionstab.Work with engineering and other groups that update software to log and analyze web browsing sessions to define the URLs to which developers connect for updates.
- These examples allow engineering servers to communicate with CentOS update servers (CentOS-Update-Serverscustom URL Category) using theyumapplication and with Microsoft update servers (Win-Update-Serverscustom URL Category) using thems-updateapplication (you must also allowsslbecausems-updatehas a dependency on SSL).
- Allow access to DNS and NTP updates (NTP DNS Update Serverscustom URL Category).
- Allow connecting to an internet Online Certificate Status Protocol (OCSP) Responder to check the revocation status of authentication certificates and ensure they are valid. When you configure a certificate profile on the firewall, set up CRL status verification as a fallback method for OCSP in case the OCSP Responder is unreachable.
- Create data-center-to-internet Decryption policy rules to decrypt the traffic allowed in the preceding Security policy rules.A compromised update server could download malware and propagate it through the software update process, so decrypting traffic to gain visibility is critical. Because only service accounts initiate update traffic and update traffic has no personal or sensitive information, there are no privacy issues.Don’t decrypt traffic to OCSP certificate revocation servers because the traffic usually uses HTTP, so it’s not encrypted. In addition, SSL Forward Proxy decryption may break the update process because the firewall acts as a proxy and replaces the client certificate with a proxy certificate, which the OCSP responder may not accept as valid.
- Decrypt traffic between data center and update servers. These two examples decrypt the CentOS and Windows update traffic allowed by the analogous Security policy rules in the preceding step.
- Decrypt traffic between data center servers and NTP and DNS update servers. This example decrypts the update traffic allowed by the analogous Security policy rule in the preceding step.
Recommended For You
Recommended videos not found.