Protect Your Security Infrastructure: Isolate Security Services
The following excerpt has been taken from our ebook, The Ultimate Guide to Protecting Your Security Infrastructure in the Broader Data Center.
Isolate Security Services on a Protected Network
While the subject of proper network security design over the entire data center will be the subject of a future article, we still need to consider the special needs of security infrastructure here.
High value security servers, such as domain controllers, certificate servers, authentications servers, etc., should be on a dedicated security network protected by an internal firewall (meaning a firewall used to segregate parts of the enterprise network from each other).
Only the intended enterprise security services should be reachable from the rest of the network. You should decide based on your own operational needs and risk management posture how to allow administrator access to security servers. Some of the possibilities include:
- Allowing remote access from the enterprise network via SSH or RDP, depending on the operating system.
- Allowing remote access from the enterprise network only to a jump server on the security network. The firewall blocks remote connections to the security servers themselves from the enterprise network, but they can be reached from the jump server.
- Allow only console access, using remote keyboard-video-mouse (KVM) servers to provide remote access.
Using either jump servers or remote KVM servers provides layers of indirection between the general enterprise network and access to the security server. Jump servers are a little more convenient, but a KVM-only policy allows remote access services, such as SSH or RDP to be disabled completely.
This may seem like a heightened level of paranoia – after all, these servers are NOT externally exposed. However, even putting aside the risk from corrupt insiders (and you shouldn’t), the current generation of advanced threats operate largely from inside your network. A user is compromised by a social engineering attack (usually spear-phishing) which ultimately allows the attacker to work from inside the network with the credentials and access rights of “patient zero,” the first victim of the attack. By reducing the network attack surface of security servers, you make them much more resistant to compromise by persistent threats.
Want to read more? We’ve got six more steps to help you take control of protecting your data center in our ebook.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.