It’s true. Once they’re in behind your perimeter firewalls, an intruder can enumerate and potentially exploit services on any of your servers – unless you’re using the built-in firewalls. You are, aren’t you?
If you’re not using this excellent built-in – essentially free – control, then the first question is: why not? I often hear answers like “we’re not sure what will break if we do”, or “it’s too difficult to manage in an enterprise environment”. These answers are both excellent and it’s the reason why IDS/IPS and log management vendors are so heavily employed. They are designed to identify the behaviours that an intruder will engage in whilst attempting to achieve their goals. However, normal system traffic can and will generate alerts in all of these systems, and the secret to getting value out of them is to tune them to minimise false positives so that the information they provide is actually useful and actionable. This takes time and skilled resource, and when things inevitably change the number of false positives will increase again. As we all know, change is a constant in IT.
Another good reason that these are excellent answers is that, in my experience, organisations don’t know all the touchpoints their applications have. For instance; clients will speak to a web server, which will, in turn, speak to the application tier and then on to the database tier. Those traffic paths aren’t always obvious, and they can be difficult to control in cloud and hybrid environments. Not only do you have complex architecture concerns in trying to secure this traffic, but there are a wealth of other questions:
- What about authentication?
- Or the systems monitoring?
- Or the administrators?
- What about traffic between workloads that are hosted on a single hypervisor, or within a specific subnet?
These are the reasons why host-based firewalls are usually switched off – IT systems are complex. Not because that’s what keeps people in jobs or they are cool toys, but because they NEED to be. This complexity causes the effective management of host-based firewall rule sets to quickly become unmanageably complex.
So, how would it be if you could effectively understand your application flows and dynamically use the host-based firewalls inside the datacentre to protect your infrastructure with natural language rules? Sounds good, doesn’t it? This doesn’t solve all the problems of managing IT well, but it starts to make the complexity look less daunting.
So, what about a system that monitors your entire server infrastructure – regardless of its physical location – and can show which hosts are talking to which, can take information from additional data sources and allow meta-tagging, meaning IP address-based access-lists are a thing of the past? Wrap all this up in always-on monitoring of the metadata systems so that as new machines are added and categorised they automatically get authorised and secured. By deploying Illumio’s Adaptive Security Platform to your workloads, you can apply this highly granular, easily managed security policy across your environment.
This exciting innovative tool from Illumio will now allow you to be able to prevent intruders from being able to go anywhere inside your firewalls.