Communication defenses
Bravura Security Fabric sends and receives sensitive data over the network. Its communications include user passwords, administrator credentials, and personal user information.
HTTPS
Require HTTPS only connections to Bravura Security Fabric and deploy real (i.e., not self-signed) SSL certificates on each server.
Firewalls
If Internet access to Bravura Security Fabric is required, protect this access using a firewall:
Ensure you purchase all network hardware, including the firewall, directly from the manufacturer or resellers authorized and certified by the equipment manufacturer.
Always ensure the latest firmware is running.
Shutdown unused physical interfaces on the device.
Implement access lists that only allow the required protocols, ports, and IP addresses and deny everything else.
Never use default usernames and/or passwords.
Monitor outbound traffic to prevent internal machines from being used to launch a zombie attack on a server.
Use egress filtering to block all traffic by default, allowing only certain traffic such as email and the Web.
Consider purchasing a firewall with three connections; one for the internal network, one for the Internet, and the third for the DMZ.
Use NTP to synchronize the time on the firewall. This will ensure the logs have the correct timestamps.
Configure the Intrusion Detection System on the firewall if available.
Communicating with target systems
Avoid sending sensitive data as plaintext:
Where possible ensure that communications are encrypted.
For example, if you have an Oracle target system, the default setup for the Oracle client is to configure unencrypted communications with the Oracle database. Ensure that you configure encrypted communication.
When communications cannot be encrypted, you can:
Use a proxy server to set up a secure channel with the primary server.
Not synchronize the accounts on that target system and ensure that administrative passwords are periodically rotated.