: Define the Initial Data-Center-to-Internet Traffic Security Policy
Focus
Focus

Define the Initial Data-Center-to-Internet Traffic Security Policy

Table of Contents

Define the Initial Data-Center-to-Internet Traffic Security Policy

Define which data center servers can access which update servers, certificate revocation servers, etc., on the internet.
Depending on your data center architecture, servers in the data center may reach out to the internet to retrieve software updates or to check server certificate revocation status. The data center is a great place for adversaries to hide because security plans often focus on user communication and overlook servers that communicate with the internet. When data center servers initiate communication directly with the internet, you need to protect against several security risks:
  • Data exfiltration—Attackers use legitimate applications such as FTP or HTTP, or other methods such as DNS tunneling, to steal data. Create an application security policy rule allow list that allows only the applications required for server updates so that all other applications are blocked, even if they are legitimate applications in other circumstances. Loose application rules present opportunities to attackers.
  • Command-and-control (C2) using legitimate applications—If data center servers are allowed to communicate with the internet using legitimate applications that are not for software updates, attackers could use those otherwise legitimate applications for C2 activities. For example, allowing web-browsing on non-standard ports creates opportunities for attackers. Servers should only be allowed to communicate w/the internet using only the specific applications required for software updates on their default ports, and no other applications, even if those applications are legitimate and sanctioned for other uses.
  • Downloading additional malware—If an attacker compromises a data center server, the malware on the server may download more malware from the internet through a phone-home or other mechanism. A strict allow rule that allows communication only with the appropriate update servers using only the necessary update applications prevents attackers from contacting websites that house malware and from exfiltrating data. In addition, install Cortex XDR Agent on the data center servers (and all of your endpoints) to prevent malware that already resides on a server from executing.