One common mistake IT administrators make is exposing the management interfaces of their services directly to the internet. Not only is this a poor practice, but these days it can almost be considered negligent. A defense in depth example will help you understand how to better protect your systems.
Unfortunately, exposing a login without any additional security is still common. A search on Shodan.io shows 14,694 devices within the United States have the MongoDB port, tcp 27017, open directly to the internet. If you browse the results, you immediately see many servers have the tag “compromised” with administrative information about the database. It’s a simple example of why it is unwise to have an administrative login directly open to the internet, especially without any additional defensive layers.
And it isn’t just MongoDB servers. Any website, SSH, remote desktop, VNC, database, and any other login portal used to administer a service should not be directly exposed to the internet. How do you protect these crucial login portals? By applying principles of Defense in Depth.
Defense in Depth Example
Defense in depth is the idea that you apply multiple layers or controls to defend your assets. The simplified defense in depth example above shows basic practices you can use. If implemented correctly, an attacker would have to circumvent several layers of defense. Even if an administrator failed to implement one control correctly, others can compensate.
Using the example above, if attackers discovers the server username and password, they couldn’t breach the server directly from the internet. They would have to find a way to compromise another internal machine, on the correct subnet, defeat two-factor authentication, and avoid any intrusion detection tools not shown in the diagram. That is much harder to do than compromising a simple login portal.
For a bare minimum defense in depth strategy, consider blocking all types of administrative access at the network perimeter. This significantly slows the most prevalent script kiddies and malware from quickly compromising your server. If a legitimate employee wants to administer the server remotely, simply have him use a VPN with multi-factor authentication.
Until administrators more widely adopt defense in depth, expect to see widespread malware infecting large numbers of hosts, such as the recent Mirai or NotPetya attacks. If you don’t employ a defense in depth strategy, expect to be a victim at some point.
Leave a Reply