Usenix Enigma 2017 Data center managers should take some tips from the US Secret Service when protecting vital servers from hackers, says someone who has been through a White House lockdown.
In a presentation at Enigma 2017, Nathaniel Gleicher – a former director for cybersecurity policy at the National Security Council and now head of cybersecurity strategy at Illumio – reckons the same principles for protecting the president could be applied to key servers in a data center.
The grounds of 1600 Pennsylvania Avenue, in Washington DC, are surrounded by nothing more than an iron fence, which is easy to hop over with a small ladder or a willing accomplice, he said. However, once inside the perimeter, the intruder is stopped almost immediately. Control of the threat environment is something some people in the IT industry could learn from, he suggested diplomatically.
From a data center perspective, managers need to take the same approach. The number of server interconnects is huge and that provides plenty of scope for an attacker to run wild. In a sample data center running 3,500 servers, he found over 37 million open pathways between systems. Under 1 per cent were actually in use for normal operations.
Just as the secret service blocks off entrances and exits to funnel people past checkpoints, data center managers need to block off unused pathways to key servers and lock down data traffic. This drastically reduces the attack surface available and forces an intruder to use heavily monitored data pathways.
In other words, if a particular application server doesn't need to interact with the NoSQL database servers, for example, firewall that off. Don't let attackers move through a network unheeded: limit access, compartmentalize, and so on. This might be advice from the Department of Bleedin' Obvious, but we live in an age when people don't test their backups so every little helps. Obviously, clusters of boxes that are assigned different workloads dynamically complicate things; however, intelligent on-the-fly network partitioning isn't impossible.
“The average time that an attacker spends in a server center before being discovered is 146 days,” Gleicher noted. “It’s unusual for an attacker to last 46 seconds before being collared by the Secret Service, because they control their environment.”
Yeah, we thought that was an apples and pears comparison, too. When The Reg asked Gleicher how feasible this total network mapping and lockdown was for the average data center manager, he acknowledged it was a massive undertaking.
“I think understanding the environment is the first challenge and often it takes a really long time,” he said.
“The key is not just trying to map out the network but trying to map the hosts, the servers, and how they are connected and how they are talking to each other. Because these are the communications hackers are most likely to use, and they are the communication paths you should care most about securing.”
Nevertheless, there is a lot of sense in trying to lock down data centers as much as possible. The payoff could be very handy at cutting down the amount of time an attacker can romp through your systems and wreak havoc. ®