Define the Initial Data-Center-to-Internet Traffic Security Policy

• Data exfiltration—Attackers use legitimate applications such as FTP or HTTP, or other methods such as DNS tunneling, to steal data. Create an application security policy allow list that allows only the applications required for server updates so that all other applications are blocked, even if they are legitimate applications in other circumstances. Loose application rules present opportunities to attackers.
• Command-and-control (C2) using legitimate applications—If data center servers are allowed to communicate with the internet using legitimate applications that are not for software updates, attackers could use those otherwise legitimate applications for C2 activities. For example, allowing web-browsing on non-standard ports creates opportunities for attackers. Servers should only be allowed to communicate w/the internet using only the specific applications required for software updates on their default ports, and no other applications, even if those applications are legitimate and sanctioned for other uses.
• Downloading additional malware—If an attacker compromises a data center server, the malware on the server may download more malware from the internet through a phone-home or other mechanism. A strict allow rule that allows communication only with the appropriate update servers using only the necessary update applications prevents attackers from contacting websites that house malware and from exfiltrating data. In addition, install Cortex XDR Agent on the data center servers (and all of your endpoints) to prevent malware that already resides on a server from executing.

• Data-Center-to-Internet Traffic Security Approaches
• Create Data-Center-to-Internet Application Allow Rules
• Create Data-Center-to-Internet Decryption Policy Rules