Legacy Server Security Measures: When Firewalls Fail

by | Server Security

Takeaways:

  • Legacy servers, those too cumbersome or expensive to replace, don’t have to be vulnerable to cyber-attack when firewalls fail to protect.
  • Not all firewalls are created equal. In fact, as recent Cisco announcements proved, many firewalls are no longer supported with ongoing and evolving service.
  • A change to a server’s HOPsphere radius is the best way to limit exposure and prevent the outside from getting in – or from the inside getting out.

They call them “legacy servers,” partially out of respect. The truth is, hackers have no respect for them, and these legacy servers are often highly vulnerable. Security professionals wonder: what are the best server security measures that can be applied to a legacy server?

Is it possible to defend these vulnerable legacy servers long before the hackers come hunting? And how can I secure a server with limited budget and time?

In this column, we dig into the issue of server security measures and we’ll outline how exactly you can protect your own legacy server.

Legacy Server Security Measures: What You Need to Know

Caring for vulnerable servers, firewalls, and other aged high-tech systems that can’t yet be replaced, presents challenges for the modern information security professional. The biggest of which is that many governments and organizations don’t have the budgetary wherewithal to meet these demands head-on.

Not even federal budgets can keep up with the spending demands of reaching top-notch security standards. It can cost millions of dollars to move an application from a vulnerable computing platform to a new, (presumed) secure platform. And yet, data breaches occur on even the newest systems, most of which do a fabulous job of delivering sensitive data to determined hackers.

Think how much more vulnerable are the legacy servers without the latest technology.

What We Can Learn from Cisco

Firewalls protect, until they don’t. Perhaps the best evidence was Cisco’s announcement that all their firewalls were exploitable by the presumed National Security Agency’s (NSA) EXTRABACON exploit in August 2016.

If true, the NSA’s own exploit toolkit, which they use for breaking into systems, was allowed to get into hacker’s hands. That, to me, is the digital equivalent of handing the keys to a nuclear weapon over to a terrorist. The NSA would do well to focus on protecting servers on which they store digital weapons.

The First Day of School

Speaking at a cyberspace symposium one summer, I listened horrified as a variety of vendors—technologist, military, contractor, and security — all shared stories of cyber-criminal success, again and again. Of server security software that didn’t do its job and security measures in networks that didn’t live up to their billing.

And I knew exactly what needs to be done to stem the coming tide of firewall attacks.

I decided to do what needed doing, using the practical knowledge of TCP/IP theory (and the hope of our collective will to act!) to stop the wholesale raiding of America (and the world’s) high-value data.

“There Is Another Way”

So how do we protect our legacy, out-of-support servers, and network devices?

A parameter in a TCP/IP packet header limits how far and long a packet of data can travel on a network. When that limit (or HOPvalue) expires, routers discard the packet.

The parameter was designed to limit how long a packet could circulate, in case a loop causes a packet to circulate (or live forever). It’s an 8-bit field in the IP header. With eight bits, one can set the value from 0-255 decimal.

That means that, if a loop exists, the packet will traverse 255 router hops, decremented by one, through each router and thereby reaching zero after 255 routers. After the HOPvalue expires, the packet gets discarded by the router and will not continue to travel. That feature limits the radius of communications from anywhere in the world down to a small, safer radius of communications.

Back-end, middleware, or database servers do not need to connect directly to the end user.

No Business Communicating

Most back-end, middleware, or database servers do not need to connect directly to the end user. They are on the back-side of a web or other front-end server. Those systems have no business with a HOPvalue that allows them to communicate with hackers in their favored place — beyond the rule of law.

Faraway places mean other countries, beyond traceability or enforceability. Why are any systems with important data allowed to have a HOPvalue that allow them to communicate with, quite literally, EVERY OTHER DEVICE on the planet?

Because that’s the default value.

Back-end databases need only communicate inside the data center, not the whole world. And that limit works, even if the firewall fails!

That does not mean HOPsettings replace the need for a firewall — on the contrary, this is in addition to other security protections — but it is a powerful protection. That feature offers greater security to legacy systems, and even new systems that do not need to communicate globally.

Systems have no business with a HOPvalue that allows them to communicate with hackers in their favored place — beyond the rule of law

“One Small Step”

It takes a bit of connectivity architecture change to build a protected environment for vulnerable legacy devices. A modification of the device’s HOPsphere is required. This should be done to limit exposure to end users inside an organization—AND to protect from outside attacks on the Internet.

A server can only connect with other devices in its sphere — and if that radius only includes the data center, then it cannot send packets outside that sphere. That means it cannot be hacked directly by a rogue internal end-user outside the sphere.

Very old, vulnerable servers can instead have their HOPvalue set to one (1) and be placed on an Ethernet segment with necessary peer machines. Legacy servers can coexist securely if a little additional architecture design work is executed. This offers great hope for vulnerable systems.

And in case you weren’t sure: all systems are vulnerable.

Why do military servers have a HOP value large enough to allow foreign hacking?

From Threats Abroad

Back to the military for a moment. If the U.S. military does not want foreign governments accessing U.S. military servers, why do those military servers have a HOPvalue large enough to allow hackers access?

U.S. military bases and embassies around the world use internal networks to access U.S. servers, so they certainly don’t need to access military servers from foreign Internet providers.

This advice describes only one layer and does not offer comprehensive security but, combined with existing best practices, HOPsphere Radius Security offers a powerful additional layer to limit access to high value data.

HOPsphere Radius Security offers a powerful additional layer to limit access to high value data.

So why do new databases, middleware, and supporting machines, which only need to communicate within the data center, use a HOPvalue that allows a hacker to connect from distant places beyond the rule of law? That is a very good question, and it should be asked of the right person. Bring this article with you.

When your high-value servers are no longer reachable by hackers, they will thank you, and so will leadership and the public, which pays a heavy price for data breaches.

What do you think about this set of legacy server security measures? Could this approach help safeguard your organization? Contact us today to schedule your FREE consultation.

Keeping Data on a Short Leash to Avoid Breaches

Even the best-trained dogs have leashes while in public. Despite how much one trusts their dog to act obediently, it simply is not possible to know what kind of situations one might encounter while on a walk—maybe an enticing squirrel? A loud noise?...

HOPZERO Selected as “EMA Vendor to Watch”

Enterprise Management Associates (EMA) is a leading voice in the information security industry. With its dedication to in-depth research — and unrivaled analysis — the EMA is an important resource for data management and IT professionals...

Remembering 9/11: “Being Ready for the Call”

As we move closer to another anniversary of 9/11, I'm reminded of the opportunity my team and I had, just days after the attack, to serve my country by assisting with communication recovery for a besieged Pentagon.It was an experience I'll never forget....

Bill Alderson is CEO and co-founder of HOPZERO. He has been involved with network security since 1980, where he began analyzing secure networks for Lockheed. Formerly Technology Officer of NetQoS/CA Technologies, he is a deep packet analyst, and was an integral member of the 9/11 Pentagon restoral team. Alderson has trained over 50,000 network forensic professionals through his Certified NetAnalyst program, and has assisted 75 Fortune 100 companies with network security needs. He was deployed six times with US Central Command to Iraq and Afghanistan to provide deep packet analysis for large-scale network Department of Defense biometric network systems.