Why ‘Firewall’ Your Core Servers? Zero Trust and Defense in Depth in Action
Zero trust principles shouldn’t only be applied to the untrusted internet and traffic from the web. The security perimeter—no matter how dynamic—isn’t foolproof and can be breached and bad actors can get inside in a number of ways. Be able to stop a threat that has already penetrated your core by filtering east-to-west traffic and detecting, blocking, and removing intruders and malware.
Why Zero Trust Has Become Relevant Again and Where It Falls Short
For two decades, zero trust buzzed as a recurring security mantra and objective and me-too vendor marketing claim in the IT and federal spaces. Finally, the cybersecurity discipline is gaining momentum as a realistic security software architecture. Zero trust is achieved in steps and parts without any complete future-proof solution, yet compliance continues to be hastened by harsh lessons learned from large-scale cyberattacks.
A renaissance occurred in 2010 with a zero trust single authentication platform in Google BeyondCorp, which was a direct response to the nation state Aurora hack on Google the year before. Although with zero trust platform solutions, zero trust became easier by eliminating additional firewalls, VPNs, and redundant authentication steps, no single control is fail-proof. A zero trust, defense in depth approach should deal with the reality that there are other ways in, such as attacks on site or from the “trusted” supply chain.
Notably, the 2020 SolarWinds Sunburst attack infected a release of SolarWinds Orion software and reached 18,000 customer systems, costing in excess of $90 million in losses and shattering confidence in the integrity of the software supply chain.
The following year, an endpoint user compromise—proliferated by malicious lateral movement, and the injection of ransomware—led to the temporary shutdown of Colonial Pipeline. The attack and resultant pipeline closure also disrupted transportation, delivery, gas station supplies, and companies, federal departments, and consumers along the Eastern Seaboard and including Texas.
Zero trust’s imperative of trusting nothing and monitoring and protecting every endpoint (i.e., Policy Enforcement Point, or PEP)—as well as every network connection—offers a logical defense against these types of attacks. Zero trust security starts with a foundation of least privilege configuration, where system and application access is limited to only that which is required to perform a task.
In addition, zero trust entails inspecting a connection, user device, and payload, and carefully authenticating and authorizing a source or identity before a network handshake can occur. However, too often, zero trust is thought of simply as distrust of the internet, with zero trust policy and enforcement only needed at the edge of the network via a next generation firewall (NGFW) such as a web application firewall (WAF), or a secure access service edge (SASE). This approach of distrusting and vetting anything from the cloud, web, remote user or unrecognized device, and hardening perimeter defense, is a foundational part of zero trust. But organizations must not forget about their private networks, internal systems and server apps, which can also be vulnerable to attack.
Web Application Firewalls (WAFs), Inside and Out
A zero trust security architecture should encompass internal servers, devices, private clouds, and software APIs so that trust is vetted even in inner “trusted” circles. In this way, enterprise servers, endpoints, and user accounts that have already been compromised are monitored, scanned for intrusion, quarantined, and the intruders or malware removed before they spread, escalate privileges, steal, and cripple your organizational operations.
Traditionally, a web application firewall (WAF) provides defense of websites and web applications from hackers and malware by filtering and monitoring HTTP traffic between a web app and the Internet. The WAF protects against a variety of application layer attacks including credential theft, code injection, cross-site scripting (XSS), cookie poisoning, CSRF, SQL injection, DoS, ransomware, and more.
Unfortunately, most people deploy WAFs around assets similar to a wall around a city (see Sidebar article below). With this perimeter defense modality, once the intruder or intruders are inside the city there’s nothing beyond antivirus (AV) on endpoints to stop them. As a consequence, this strong perimeter defense is not effective against east-to-west attacks, which means they elude your walls, get inside, and move from system to system. Most large enterprise security involves perimeter thinking, except for antivirus. So, despite knowing better, many organizations apply security controls (like WAFs) only at the edge/perimeter, and there’s nothing internal to protect against east-to-west attacks, where internal access and privilege escalation is employed by an external attacker or insider threat, aka turncloak.
Too often, endpoint equals antivirus in most people’s minds, which is why they don’t think of a WAF on the server itself. WAFs should be deployed on endpoints (desktop computers, virtual machines, embedded devices, and servers), to protect against both the risk and reality of east-to-west attacks.
A WAF can be used to protect your core network computing environment against an attacker that has already penetrated the perimeter. Key endpoint protection features usually involve antivirus and antimalware, but additional threat detection and prevention should be applied. In the spirit of defense-in-depth zero trust, don’t rely on one layer of perimeter security, which can be bypassed by sophisticated hacks or the aforementioned insider attack.
The deployment of a WAF inside your enterprise network helps to monitor and filter east-west traffic, aka lateral movement. It can ensure that insider attacks, configuration errors, hijacked accounts, and ransomware don’t overtake your enterprise jewels and hold you hostage.
Atomic WAF: Affordable Zero Trust and Defense in Depth for Web Apps and Core Systems
ModSecurity, sometimes referred to as ModSec, is an open-source web security framework that when combined with rules allows users to build WAFs for free.
Atomicorp offers three solutions for your ModSecurity and WAF needs:
- Atomic ModSecurity Rules. Our most popular offering, these enable you the flexibility of still managing your own security, but with prebuilt rules and professional support at your side when you need it. Atomic ModSecurity Rules layer defense-in-depth security into the web architecture, which is especially important in cloud computing, multiple tenant environments such as Plesk, cPanel, virtualized environments, and popular web applications like WordPress, Drupal and Magento.
- Atomic ModSecurity Rules (Remote Edition) are a software-as-a-service (SaaS) version of our advanced Atomic ModSecurity Rules, preconfigured and continuously enhanced in a monthly professional service subscription. The security software is maintained and updated remotely, and the customer only has to run a script on their system to be able to employ the rules across their web servers.
- Atomic WAF is a military-grade enterprise web application firewall that protects websites, web control panels, web endpoints and web gateways with advanced detection, versatile attack surface coverage, active response, lateral protection, analysis, audit controls, and easier regulatory compliance. It comes with a console and graphical user interface to facilitate security orchestration, system governance, SIEM analysis, and decision-making.
Atomicorp provides ModSecurity-based prevention, protection and consultation in the following areas:
- Virtual patching, to analyze and block exploits without reactively making changes to your applications or source code.
- Common Weakness Enumeration (CWE) category capabilities to move beyond CVE patching.
- Exploit and vulnerability scanner blocking.
- Advanced attack blocking, such as SQLi, XSS, SSRF, and XXE.
- Proxy server abuse protection.
- Brute force protection.
- Layer 7 DoS protection.
- Real-time malware protection and malware removal.
- Content scraping protection.
- Secure Search Engine automatic whitelisting, which protects page ranking and SEO without making you vulnerable to attackers spoofing search engine requests.
Visit our website to learn more.
Atomicorp ModSecurity products and services also add:
- Geoblocking
- Credential theft prevention
- Data loss prevention
- Antispam protection
- Same-day rapid support to reduce false positives and false negatives
- Third-party real-time blackhole list (RBL) integration to easily block attackers
- Enterprise-level professional support
- Support for custom rule development
- And a management console, role-based GUI, MFA SSO, management and compliance reports, and Cloudflare integration, available in our Atomic WAF solution.
Atomicorp ModSecurity solutions support Apache, Nginx, LiteSpeed, HAProxy, Varnish, and Windows IIS, as well as container environments including Kubernetes.
Atomic ModSecurity Rules and the military-grade Atomic WAF solution come with an automatic installer (AUM), daily updates, and enterprise support. The solutions also fortify enterprise customers with real-time global threat intelligence, thousands of WAF rules, management tools, and additional capabilities to ensure your WAF is dynamic in protecting applications across the web’s wide attack surface and toward stopping a variety of attack methods, including lateral.
Discover how Atomicorp ModSecurity solutions can help you to detect and stop malicious lateral movement within your core environments.
Stay up to date with advancements in ModSecurity WAF capabilities and deployment best practices. Gain access to open source security discussions, ModSecurity tips, and advancements in protecting web architecture and data.
Join our community on Slack.
Contain Costs and Reduce Maintenance as You Protect Web Assets
Atomic ModSecurity WAF solutions represent a leading, low-cost, low-maintenance foundation for securing traffic from the internet and protecting web operations. Reduce the manual drain and limitations associated with rolling out web security with Atomicorp ModSecurity and professional support. Continuously improve, evolve, and facilitate your web security domain(s).
The Mythical Trojan Horse: A Lesson in Zero Trust and Defense in Depth
For newbies, the zero trust concept is perhaps best embodied by the ancient myth of the Trojan Horse, which according to Homer’s Iliad, the Greeks delivered during the Trojan War 32 centuries ago. This legendary hack occurred not as an obvious brute force blitz, but rather more surreptitiously and—in a few ways—from within.
First, the giant horse statue was presented as a gift, with an attached note promising something.
In the tale, the Trojans failed at this first step. They neither scanned nor checked inside the package, or packet. They trusted without doubt the incoming object at face value and did not discover the enemy warriors hiding inside the wooden beast. We might not be able to call it a pre-Internet social engineering attack, but for certain it was the first Trojan Horse exploit. Fast forward to today with all its hindsight and this email should have been filtered to Spam and deleted.
Second, stretching the metaphor further, the horse was wheeled through the gates into the city. In the cybersecurity world of today, this would be where the unscanned/poorly scanned file was accepted by the network and its users. You should always look a gift horse in the mouth, and in the face, and test it inside and out (e.g., for flaws, portals, hatches, and stowaways), and quarantine something from a known adversary long before trusting it inside the gates of the city.
Third, once inside the fortress, detection and response was slow. The Greek warriors hidden inside the massive wooden horse were able to climb out and eventually destroy the city and civilization. The applicable lesson: zero trust is just as required inside your network computing environment as it is out.
One thing Homer’s classic tale did not capture was the scenario of Greek co-conspirators already inside the city walls. In modern times, this would be enemy agents acting as employees or trusted contractors who capture sensitive information and open backdoors to enable the enemy’s invasion.
Still not licked, the Trojans could have employed a defense-in-depth strategy, and perhaps retreated inside a second inner fortress, such as a keep. We will probably never know if this happened or whether the archaeological site of the city was indeed attacked by unified Greek city-state forces or not—historians disagree on the subject. What we do know about the tale of the Trojan Horse, is a zero trust approach to security may have saved the city from the seize.
Subscribe to ModSecurity and Atomicorp news and updates.