Search

Steve's Stuff

Random postings of tech and other life things…

Open Search
Category

Software

Maximizing Server Security: The Power of Microsegmentation Strategies

I work in a small IT deparment and about a decade ago we dove into the microsegmentation world. With the news constantly covering stories about breaches, security vulnerabilities, and just the general world of hacking, moving into a server network that is microsegmented made lots of sense. It reduces attack surfaces, prevents lateral movements, and provides lots of advantages than the typical flat networks most are probably accustomed to. But it doesn’t come with its challenges and hurdles to face. I’ll cover the lessons that we’ve learned, how we’ve addressed those challenges, and achieved a working playbook to make this system work on a regular basis.

As a server engineer, I’ve spent most of my career inside of a server or workstation OS of some type and initially really didn’t understand or know how networks worked. It was just the thing that was there to make my servers talk to other devices on the network. After 10 years of living in this environment there’s a few things that quickly became essential to being sucessful in working in this type of enviroment:

  • Fundamentals: Having a basic understanding of the fundamentals of technology is a must
  • Documentation: Vendor Documentation becomes essential
  • Logging: A good logging strategy is needed to understand what’s happening in the environment
  • Practice makes Perfect: Taking a playbook from Tom Cruise’s movie in Edge of Tomorrow: Live. Die. Repeat.

Fundamentals
First and foremost, having a good understanding of the technology and general concept of how things work are very important. When you don’t know how the technology works, it becomes very confusing to understand why something is happening in the environment. For example, if ICMP is blocked from the users network to a server, then pinging the server will fail. But if port 443/tcp is opened then that will allow you to browse to a website on that server on that port even though you can’t ping it. If you don’t understand that ICMP is different than SSL traffic over port 443 this can be a confusing situation for sysadmins and engineers working in the space. A few tips to think about if you’re in an environment like this that can help you be successful.

  1. Get to know the environment that you’re in
    • Get a network diagram or topology of the layout. Understand what stands between point A and point B. This will help you understand what hurdles you have to clear.
  2. Get a general understand of the type of firewalls being used in the environment.
    • Are they next-gen firewalls that identify the type of traffic traversing the firewall? Or is it just based on ports being opened or closed?
    • A next-gen firewall can identify the type of traffic passing over a certain port, and allow the “application” along with the port number. This extra layer of checking prevents certain malicious actors from being able to tunnel traffic over an open port that is not intended for that function. This would allow undesired actions to occur.
  3. Understand if ICMP is opened and pinging things are expected to work, or is it blocked and not allowed. Note: we allow ICMP internally for everything as an easy method for troubleshooting
  4. Understand the basics of network routing: On the initial surface, a routing problem can appear to be a firewall block. This can become a challenging issue to understand and convey to the network engineering team. If ICMP is open that helps troubleshooting as being able to ping a device means that you have a route to reach that device. If another service on another port isn’t work this makes it easier to know that a firewall is preventing that. If pinging it fails then it could mean a routing issue. Doing a trace route to review the path it’s taking is helpful to the network engineer trying to understand the issue.
  5. Having regular training sessions internally to make sure everyone understands the fundamentals and knows how to test for the specific problem being experienced is very important to be successful.

Documentation
Vendor documentation: Anyone that has spent time in the IT world has come to know vendor documentation. There’s varying levels of competent documentation, but every vendor should provide some type of information about their application. Included in this documentation should be network ports required for the application to function as expected. It will include the source, the destination, the port number, and the protocol it uses. Most all apps will need a default set of ports open to function as expected (DNS, NTP, Active Directory if it’s used, etc), as well as custom ports specific to the application. Knowing the traffic flow is very important to understanding what you need to request. (e.g. does the server start the communication to the laptop, or does the laptop start the communication to the server?) A small list of typical ports are (there’s dozens of others):

  • 21 – FTP, File Transfer Protocol
  • 22 – SSH, Secure Shell
  • 23 – Telnet
  • 25 – SMTP, Simple Mail Transfer Protocol
  • 53 – DNS, Domain Name System
  • 80 – HTTP
  • 110 – POP3, Post Office Protocol
  • 123 – NTP, Network Time Protocol
  • 443 – HTTPS, HTTP over TLS/SSL
  • 3389 – RDP, Remote Desktop Protocol

Internal Documentation: In conjunction to the vendor documentation, you should develop a good strategy for internal documentation. This allows you to help engineers working in the environment to understand what is set up and what the expected behavior is. You also have to make sure that you have a good procedure to deal with blocks and issues as they arise. We have an internal wiki that we try and document each application, the servers running that application, and the custom firewall rules required for that application to function.

Logging
At the core of all of this is having a good logging strategy in place so that everyone, not just the network engineers, are able to see the firewall or network security device logs and understand what’s happening. We use splunk as our syslog system and all users have read-only rights to the logs. This allows anyone to search firewall logs to see if attempted connections were allowed or blocked. Understanding the logs starts with making sure you have the first bullet point, a solid understanding of the fundamentals.

Practice Makes Perfect
As with anything you do, whether dieting, playing a musical instrument, or learning a new skill, practice makes perfect. When you first start down the path of microsegmentation, you have to understand that you’re probably not going to be successful right at the beginning. There’s going to be learning pains, new challenges, and a different way of thinking than you’ve become accustomed to. So going into it, you have to acknowledge that you will probably have multiple challenges you’ll have to overcome. Setting up good processes and a good framework before moving into the rollout will determine if you’re successful.

0

What I Use

I thought I would put this post here more as a way for me to keep a running list of what I have and what I’m using.  This is by no means a complete list, but I’ll update it over time in an attempt to get it there.

Computers

I used to use 2 different computers, a primary more powerful desktop and lesser powerful portable laptop. With the introduction of Apple Silicon I’ve decided to collapse both of those into a more powerful laptop as my primary computer. I’ve recently gotten the Apple MacBook Pro “M2 Pro” 10 CPU/16 GPU 14″. I opted for the Pro with the M2 Pro processor to have native support for multiple monitors. I have the model with 16GB of RAM and a 512GB SSD storage. This has been an amazing laptop so far and can’t recommend it highly enough. I’ve also picked up the Apple Studio Display and I’ve replaced my dual monitor setup with the single 27″ monitor and the laptop on a laptop stand. This is probably the best monitor I’ve ever owned and fits in perfectly with my setup. I’ve also been plugging this monitor into my work Dell laptop and it’s working just as you would expect.

I also have a gaming computer that I built circa 2019. While it’s now 6 years old it’s still working well for things that require Windows, as well as gaming via Steam, Xbox, and retro emulation using LaunchBox. If you are a gamer and enjoy retro games you should definitely check out LaunchBox. It’s been by far the best and easiest way to enjoy retro games. My gaming computer is using the following hardware:
MSI MPG Z390 GAMING PRO CARBON ATX LGA1151 Motherboard
Intel Core i7-9700K 3.6 GHz 8-Core Processor
Corsair Vengeance RGB Pro 32 GB (2 x 16 GB) DDR4-3200 CL16 Memory
Samsung 970 Evo Plus 1 TB M.2-2280 PCIe 3.0 X4 NVME Solid State Drive
-NVIDIA – GeForce RTX 4070 SUPER 12GB GDDR6X Graphics Card – Titanium/Black
DIYPC Ranger-R4 ATX Mid Tower Case

Peripherals

While docked at the desk, my keyboard is the Logitech MX Keys Mini. While it’s not a perfect keyboard it is very affordable and has pairings to 3 different devices which allows me to swap between my personal Mac laptop and my work Dell laptop. The mouse I have at my desk is the Logitech MX Master 3 Mac. I also keep the Apple Magic Trackpad to the side to use for any gestures that may be easier on the trackpad versus using the mouse.

On my gaming computer, I’m using the Razer – Huntsman Elite Full Size Wired Opto-Mechanical Clicky Switch Gaming Keyboard with RGB Chroma Backlighting – Black, and for a mouse I’m using the Razer – Basilisk V2 Wired Optical Gaming Mouse – Wired – Black.

Phone

I recently upgraded (December 2023) to an Apple iPhone 15 Pro 512GB in Titanium Blue. I have found iOS to be very stable and reliable in the years that I’ve been using it. My previous phone was a 128GB model and I regretted not getting more storage, so made sure to remedy that this time around. (Who ever thought that 128GB of storage on a phone would be considered “small”)

Tablet

I have a space gray Apple iPad Pro (2018) in 256GB with Verizon cellular attached to the Magic Keyboard and Apple Pencil.  The iPad had become my right hand man so to speak as I would have it with me everywhere I go. I find the extra screen real estate compared to the iPhone worth the extra weight and bulk of the iPad.

I also have and use an Apple iPad mini 6th generation for content consumption and casual usage. The size of it is great which makes it much more portable than the 11-inch one.

Software

I’ve been slowly building a list of useful software tools to use in my daily activities. I’m always on the lookout for anything that can help make things easier or more streamlined.

  • 1Password – These days, a password manager is a must. With website breaches becoming more and more common, using the same password on multiple sites is a terrible idea. With desktop and mobile OSes embracing password managers and integrating them more naturally for use, the argument against using one is becoming harder and harder. I’ve chosen 1Password and have used it for years. It’s a subscription and I pay each year for the family plan. It is also OS agnostic as there’s clients for every main platform. Highly recommended.
  • Alt-Tab – This is a useful tool to give you a better look at switching apps on the Mac, much like it does on the Windows side. You get a thumbnail of the screen from each app. And better yet, it’s free!
  • Bartender 4 – This app is another Mac app that cleans up your menu bar, and displays only the ones you want, but tucks away the others for when you need them. It’s a must have if you have sprawl up there, and keeps things organized. It’s also highly customizable, (e.g. you can display the battery icon while it’s running on battery, but it tucks it under the menu when charging). It’s a $16 one time fee but once you adjust it’s hard to stop using it.
  • Etcher – When working with ISO files to do USB bootable drives. Etcher is a simple but effective application to get that done. There’s always the CLI option of dd for anyone that’s versed in command line but if you’re looking for a simple interface to do the same thing check out Etcher.
  • ExpressVPN – I signed up for a trial of ExpressVPN and now it’s a constant thing I make sure to install on all of my devices. With public hotspots not very trustworthy it’s nice to have a VPN you can use. ExpressVPN makes it seemless and most of the time I don’t even realize I’m on VPN until I check due to how fast it is.
  • iMovie – I’ve been starting to play around with video editing and recording more video. So I’ve started using iMovie as a way to cut and build custom movies with it.
  • NetNewsWire – I’ve been using this on the PC and on mobile/tablet for a few years now. For an RSS reader it’s a great tool and is very fast at downloading and swiping through articles.
  • Quicken Classic – Yes, I am that guy that still manages his finances via a local Quicken application on the computer. I know most have moved to cloud based or online programs for this, and I also use Mint for several things in conjunction with this. But the ability to have a calendar with all my bills laid out, reports of past spending, and having it all local to me, is still a nice thing for me. Maybe one day I’ll join the others but for now I still enjoy having this.
  • Reeder – I have recently switched my RSS app over to Reeder on both the Mac and the iOS/iPadOS side. I really like the look and feel of it and appreciate the effort they’ve done to make this an enjoyable app

Note: some links above are tied to my Amazon affiliate account and I do get paid a small fee from following the links. I appreciate your support.

1

Blog at WordPress.com.

Up ↑