In the most recent Palo Alto Networks Application Usage and Threat Report (Feb 2013), some of the most interesting data found was that while Internet social networking applications are assumed by many to represent the highest volume of risks, they only represent 0.4 percent of all threat logs observed. Rather, 97 percent of all exploit logs were found in ten applications — nine of which were internal or infrastructure applications that are integral to many business functions (i.e. databases, active directory, RPC applications).
Of course, it’s not a surprise that three of the ten internal applications with the most exploit logs are Microsoft applications. Microsoft applications are notorious for using random and high range ports. Microsoft applications such as SharePoint and MS-RPC require ports like 135,137 and 139 to be opened on traditional stateful inspection firewalls, which leave these firewalls ineffective at actually letting the right applications through. Microsoft Lync is even more confusing, requiring ports like 443, 3478 and high ports in the range of 50000-59999 to be opened. Yes, all of those open ports on your firewall that you’ve enabled for Microsoft applications are akin to the holes in Swiss cheese, with plenty of vectors for attackers to exploit Microsoft server and application vulnerabilities.
This data indicates that the old network security model of “hard and crunchy on the outside, soft and gooey on the inside” (shore up your perimeter defenses with firewalls and you’re good to go) is no longer sufficient. The strategy of attacking critical resources from easier to “own” resources that are inside the network continues to become the rule and not the exception. There needs to be a security strategy shift towards a greater focus on data center applications and the monitoring of internal traffic. In fact, with internal threats being dominant, organizations face a delicate balance between empowering employees and securing data center applications.
This balance is the key. It is about physical security, safe application enablement for legitimate data center application usage, and secure access to these applications. These are well-understood, fundamental best practices in the data center but they are best achieved using a next-generation firewall so you can deliver policies based on applications, users and content, without having to subject your data center to a Swiss cheese version of security.
Here are some best practices to protect your data center applications, in particular, Microsoft applications:
While the concept of physical security may be well understood (with enterprise data center servers relegated to well-protected, isolated data center premises), internal threats can abound from other methods like internal users walking out with critical files or servers not properly locked down. Case in point – Nicira Networks in 2011 (prior to its acquisition by VMware) was robbed by an attacker who knew exactly which server to walk out with. While it may have been a nation state attack, it was obviously aided by an insider who knew exactly which server to target. Physical security for that server would likely have prevented that attack.
Identify, Segment and Safely Enable Applications
You need to consider network security best practices in securing applications like Microsoft applications in your data center. The most important aspect to consider with these enterprise applications is their complicated architecture. They are typically comprised of multiple application tiers from web to application to database servers. All of these functions are typically distributed onto multiple servers in the data center.
Therefore, your security strategy needs to ensure proper segmentation of these servers, appropriate access by users and IT administrators to these applications, and finally secure access to these applications. There are likely three groups of users accessing these applications – employees, contractors and IT administrators (you might even have partners accessing them too). Employees should be allowed access to specific functions depending on their roles, while partner/contractor access can be further restricted by timeframe of access if necessary. IT administrators should be the only groups allowed to utilize functions like Telnet and RDP to access data center servers, and this type of privileged access should be constantly monitored.
Next-generation firewalls enable segmentation via security zones, and for each security zone, specific applications can be enabled for different groups of users. Microsoft components, in particular database servers and Windows IIS servers, may be subject to attacks such as SQL injection and IIS buffer overflow attacks. Therefore, the content for all allowed traffic can be inspected for these threats. In addition, threat inspection can be augmented with data filtering to track data and unknown files flowing outside of the different security zones.
Securing Access to the Data Center
The third and final piece is securing access to the data center itself. Internal employees, partners and contractors using a variety of laptops, smartphones and tablets will require access to data center applications. The strategy to secure these users requires a two-pronged approach — an always-on VPN connection that ensures secure connectivity for access and termination on a next-generation firewall that can safely enable mobile traffic no matter where the user is located.
As an industry, we’re moving away from stateful inspection firewalls towards next-generation firewalls. In light of the recent threat data that suggests the very applications we depend on to run our businesses are the vectors exploited by attackers, next-generation firewalls and their ability to safely enable these critical, complex applications should be a critical component of any data center security strategy.