Hello! I’m Jim Klun – a comparatively recent addition to the team here at Microsolved.
I have worked over the years to protect large datacenter environments from compromise. I want to take moment to share a way to look at the external security risks facing such an environment . I’ve used it effectively to explain (usually to senior management) the reality of risks that often go unplanned for.
Essentially, I have come to view a typical datacenter environment as presenting three major “doorways” that external attackers will attempt to break through. These are often described as “attack surfaces” in the literature and are illustrated below:
Let’s take a look at each side of this “attack surface” triangle
An organization’s Internet presence – the Internet-facing services offered to the public over the Internet – is usually well understood as an attack surface. Organizations with at least some security awareness will ensure that servers with publicly exposed services are protected by a firewall, offer only a limited number of secured services to the Internet and tightly monitor those services for signs of potential abuse or compromise. Best practice also dictates that they be in a separate network segment (e.g. a “DMZ”) with limited access into the rest of the datacenter. Segmentation makes it more difficult for an attacker who has gained access to an Internet server to extend their control inward without being detected.
But – note the other attack surfaces shown in the diagram. These are the ones often ignored by organizations. The reason is invariably a misplaced sense of “trust”.
These are the various “private” pathways into your datacenter provided to vendors, business partners or customers. Communication may be over dedicated non-Internet communication channels or possibly via site-to-site VPN over the Internet. Portions of some other organization’s internal infrastructure is connected to yours via such paths. Your organization becomes dependent on their internal security.
Regardless of the private communication mechanism, the special nature of the relationship invariably instills a sense of trust in the security of the connection. The assumption is the folks at the other end are “doing the right thing” and pose a limited risk. But of course you have no way of really knowing that. A compromise of a vendor site that has a direct connection into your datacenter so that the vendor can perform maintenance work on your servers is a real and serious risk to you. As an attacker, I would delight after compromising a support vendor to find such maintenance connections.
Hopefully one would not be to your datacenter.
Unless you have complete, assured control of the infrastructure at such sites, you must assume they are potentially hostile. Firewalls, logging, segmentation, and intrusion detection are as much a requirement here as they are for the Internet.
“We trust our employees!” Of course you do. But trust here goes beyond trust of the individual human being. The trust is of a combined entity – your employee AND that company laptop they take home every night. Few people are capable of using a Windows-based laptop in such a way as to avoid compromise over the long term. You may have a full array of anti-malware solutions running on company laptops, but the simple fact of modern digital life is a subset of them will be compromised and you will not detect it.
The trick is to limit the damage that any one such compromised laptop can do to the security of your datacenter. If you have no firewalls between your internal employee space and your datacenter and you have no controls on outbound traffic from your employee space to the Internet (porn filters are not enough), then an attacker who has remote control of that laptop can simply use it as an internal attack platform against your datacenter. This has become a major vector for data-center compromise.
Employee desktop/laptop/smartphone IP-space should be entirely different from that used internally within your datacenter. Firewalls should lie between those spaces. Strict limits must be imposed on what your non-technical users “see” of your datacenter. If they can see everything, then an attacker who has taken control of their machine can see it all as well. Ideally all access to datacenter servers by technical administrators is by way of “jump hosts” that sit at the boundary between the datacenter and employee space. Two factor authentication for access to such administrative jump-hosts is a requirement. System admins are just as likely as any other user to have traditional credentials stolen.
By limiting what your internal users can see of your datacenter and logging all access attempts, you have some chance of limiting the opportunities for attack from a compromised laptop and at least some chance of detecting it if it does occur.
For my next post, I’d like take a look at a topic closely related to the above: Egress Filtering. Don’t do it? You need to. See: http://en.wikipedia.org/wiki/Egress_filtering