A recent engagement and publication reminded me of the criticality of limiting the ability of systems within an organization. To be specific – servers should have a limited amount of services operating on them; these systems should have restricted access (inbound and outbound); chaining of servers and services must be avoided.
While this is fairly well published by NIST, NSA, CIA, PCI DSS (the standard), ISACA, and non-technical professional groups such as the IIA, there is a propensity for network operators and firewall operators to not enforce these restrictions. Why – a common few reasons include:
- The objective of network and server operators is to provide services – eliminating services is against the grain
- A lack of clarity in what services are required by each system (and some services that require excessive services and access, i.e. Microsoft Exchange) make it hard to confidently clean-up servers
- Firewall and security people would love the idea of restricting by source-destination and service; however, if the server/application owners cannot articulate what services in which direction are necessary then the ACLs cannot be put in place without breaking the network
The importance of eliminating these services was recently highlighted by the extremely talented folks over at Sense Post. Their 2008 Black Hat Presentation is here regarding “reDuh“. A tool that simply allows one to create a “TCP circuit through validly formed HTTP requests”. The tool is free with registration. Simply put this tool shows the threat in allowing one server to access another server without restriction “because it is inaccessible from the firewall”.
Security professionals and operators should consider the following:
- Services should be limited, and the availability of virtual systems the ability to test company specific setups is possible – security can restrict until true security is achieved
- When acquiring technology you (the buyer) should not send the check until you get the absolute list of services (applications) and ports (inbound and outbound) required to make the application work
- Evaluations should consider the chaining effect – What can be done from X, Y, and Z server. Most times security is a single line in the sand, and such follies lead to disaster.
The intent of restricting by server and service is not to inconvenience, but instead to leverage the existing security technology to the optimal state. Once the public facing systems are secured an effort should be done to segment out the end user networks.
Generally this control applies to PCI DSS Sections 1.3.1, 1.3.2, .1.3.3, 1.2, 1.4, and 2.2
James DeLuccia IV
**Please join me at the CSO Executive Seminar Series on PCI Compliance & Application Security on September 10th, New York City