Why? Why Does That Server Need Internet Access? Why?
- Written by: Dave Nelson
I’m going to state this very bluntly. No server needs internet access. Do I have your attention? Good. Now let me clarify. The vast majority of servers should never be allowed to make a connection to the internet. This goes double for database servers. If you want to ensure information security and protect against a data breach keep reading.
Now, I’m not talking about severs in your DMZ which are used to provide public facing services or provide DNS or email. I’m talking your internal file and print, Active Directory domain controllers, CRM, ERP, etc. If these servers need an update, get it from a single purpose update server in a different security zone.
One of the common problems we see during a data breach investigation is that a server is compromised and then used to funnel information back out. If this server was in a security zone with egress filtering, alarms would trigger the instant any outbound communication attempt was made giving the information security team a chance to detect the anomaly and respond accordingly. A serious data breach may have been prevented.
I’d encourage you to do an inventory of the internet access rules of every server in your organization. Ask yourself is this is necessary? Could the services be accessed or routed through other devices? DNS and NTP are common examples. Servers should only get DNS or NTP from an internal source. There are too many attack vectors using those protocols. If servers do need internet access, they should be put in a separate security zone which is less trusted that the other zones. Consider it an internal DMZ if you will.
Information security is hard. There are a million different ways the bad guys can get you and cause a data breach. Let’s not make their lives any easier but throwing them a lob pitch and letting them swing for the fence.