Document on how to secure a Data-Center with non-internal people?

Started by dlots, October 16, 2015, 12:16:49 PM

Previous topic - Next topic

dlots

We are looking at making a cloud-based system that people can sign up for that I would consider a high value target system, and I am trying to figure out how to secure it. I know basic stuff like VRFs, Firewalls, ACLs, routing/VRRP authentication, Control Plane Policing, etc, but I would really like a document from people who are "Good" at security that would give me a check-list or something.

wintermute000

Put cloudflare or similar in front for ddos scrubbing. Then make sure you have good layer 7 firewalls/IPS in front. Put the dns on your load balances via gslb do you can scale out redundant active sites. The load balancers can actually act as a second layer of application level filtering
Have active monitoring on the ips/fw and hourly updates for signatures. The good vendors will push out zero day signatures that quick
Make sure the ips is tuned, the more Nazi, the better.
Backend behind second layer of firewalls, no direct connectivity allowed from internet zone, all comms to dmz must be encrypted and preferably originate from inside only, again ips that layer if you can. Some will say different vendor too.

AnthonyC

I'd second the layer 7 firewall/WAF comment, your web services & applications are probably going to be among the biggest attack vectors.
"It can also be argued that DNA is nothing more than a program designed to preserve itself. Life has become more complex in the overwhelming sea of information. And life, when organized into species, relies upon genes to be its memory system."

deanwebb

Mix vendors so that a SSH vuln in one doesn't bring down the house.

Also, you will need tools for securing intellectual property, such as things that will alert on or block traffic that includes information from files that should not be copied.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.