Tuesday, 11 October 2016

Why Firewall a Server

I'm going to address something that came up in a talk I had the other day with some people that run data centres while they are putting firewalls between customers and what is exposed to the internet however not against traffic from one customer server to another.

When questioned on the subject the response I got is nothing can get in or out so it's secure, and it reduces administrative overhead.

Well, No, and I had to point out two things first if an infected client passes something to the server it's not secure anymore and such example of zero-day exploits are many, second if one server is compromised it allows hackers, virus and malware to spread faster when others nearby servers are not protected.  Finally the administrative overhead? that's a two-minute update to the provisioning script people nothing more.

In short, there is no real reason not to have a local firewall, both Linux and windows offer their own versions that can be easily customised to allow monitoring and remote access to trusted hosts during provisioning.

Now some of you are thinking well this is what happens with small cloud providers right?
Well you'd be wrong the people in question I am talking about are blue chip IT firms and household names, you see one of the reasons for this is that in these larger companies people doing the provisioning automation do not have any security training or any process in place for hardening, leaving this almost all down to the end customers that most of the time don't have the skills.

Do I think this is the right approach, well no and frankly this might be ok in an IaaS model but for a PaaS, this is something of a detail that is overlooked and leaves their customers exposed?

What is still more worrying is that many of them do note have a patching process either leaving you more exposed to over time and in my mind an even greater need for a firewall on the server.

Now I know that video below is only about AWS but please keep in mind this could happen to any cloud, and covers more details on styles of attack.

No comments: