Define the Initial Data-Center-to-Internet Traffic Security
Policy
Define which data center servers can access which update
servers, certificate revocation servers, etc., on the internet.
Depending on your data center architecture, servers
in the data center may reach out to the internet to retrieve software
updates or to check server certificate revocation status. The data
center is a great place for adversaries to hide because security
plans often focus on user communication and overlook servers that
communicate with the internet. When data center servers initiate
communication directly with the internet, you need to protect against
several security risks:
Data exfiltration—Attackers use legitimate applications
such as FTP or HTTP, or other methods such as DNS tunneling, to
steal data. Create an application security policy allow list that
allows only the applications required for server updates so that
all other applications are blocked, even if they are legitimate applications
in other circumstances. Loose application rules present opportunities
to attackers.
Command-and-control (C2) using legitimate applications—If
data center servers are allowed to communicate with the internet
using legitimate applications that are not for software updates,
attackers could use those otherwise legitimate applications for
C2 activities. For example, allowing web-browsing on non-standard
ports creates opportunities for attackers. Servers should only be
allowed to communicate w/the internet using only the specific applications
required for software updates on their default ports, and no other
applications, even if those applications are legitimate and sanctioned
for other uses.
Downloading additional malware—If an attacker compromises
a data center server, the malware on the server may download more
malware from the internet through a phone-home or other mechanism.
A strict allow rule that allows communication only with the appropriate
update servers using only the necessary update applications prevents
attackers from contacting websites that house malware and from exfiltrating
data. In addition, install
Cortex XDR Agent on the
data center servers (and all of your endpoints) to prevent malware
that already resides on a server from executing.