The simple 3 step process to reduce your network exposure

Devsecurely Avatar
Devsecurely

Share on social media

In an n-tier architecture application, a client communicates with at least one service. This target service is hosted on a particular server.

Let us take a web application as an example. The client is the user’s browser. The service exposed is a web server (apache, tomcat, nginx, IIS, express ….). On a particular server, you can host many services, and expose them so they become accessible to clients over the network.

Of course, exposing a service on the internet opens up the opportunity for hackers to attack it. If they manage to hack that service (finding vulnerabilities on the exposed application, finding credentials to access the network service …), they might retrieve sensitive information. So, by exposing a service, you increase the attack surface. You give hackers something they can target.

You need to always think of reducing your attack surface. To do that, follow the below process for each of your servers:

  1. Identify all the exposed services.
  2. Go through all the exposed services, and decide whether you really need to expose them or not. 
  3. For the services that you really need to expose, make sure they are only accessible to users who need them.

Let’s see how to accomplish each step of the process.

Identify exposed services

An easy way to identify exposed services is to do a network port scan. Nmap is a command line tool that allows us to scan a server and identify all the services it exposes.

To scan your server, you need to know your domain name. If you don’t have a domain name, retrieve your public IP address from your hosting provider’s management interface.

To launch the network port scan, enter the following command line:

 nmap -Pn -n -p- www.example.com

When the scan finishes, nmap will show you the list of open network ports.

What services should you expose?

Now that you have the list of exposed services, it’s time to sort things out. You need to think clearly about your application’s needs. What services do you need to expose?

For instance, if you have a web application, you only need to expose the web service on the internet. I.e. network ports HTTP (tcp/80) and HTTPS (tcp/443).

Additionally, you might want to expose the SSH service to manage your system. But you expose that service only to system administrators, and not to everyone on the Internet.

Once you define the list of necessary services, compare that to the list of exposed services that you got from your nmap scan. You need to block access to exposed services that are not on your “mandatory services” list.

You can do that by one of 2 ways:

  • By blocking access via the firewall.
  • By re-configuring the service so it doesn’t listen on the public network interface.

Limit exposure

Make sure that you expose services only to the users who need to reach them.

For instance, in the case of a public web application, you might make the service accessible to all internet users.

For an application only destined for employees of a certain company, allow the public IP addresses of that company to access the service. Block all other IP addresses.

You might have an SSH service that you use to manage your server. Make it accessible only to your system administrator’s public IP address. Block other IP addresses.

You should always filter access in a whitelist manner: allow access to devices with a certain IP address, block all the rest. And keep exposure to the minimum to limit the risk of an attack.

Tagged in :

, ,
Devsecurely Avatar
Devsecurely

Leave a Reply

Your email address will not be published. Required fields are marked *

More Articles & Posts