Network and Host-Based Protection for FedRAMP Compliance

Phil Dennison

Federal Risk and Authorization Management Program (FedRAMP) compliance requires that Cloud Service Providers (CSPs) answer many questions about the state of their perimeter and interior protection posture. Is the information system boundary protected and are mechanisms in place to both detect and block adversaries? What are the different types of detection and prevention mechanisms that are place? How is host-based protection handled, for both servers and containers?

This post will help CSPs answer these common questions by describing the mechanisms that need to be implemented when designing and enforcing boundary and host-based detection schemes.

Boundary Protection

Protecting the boundary is one of the most crucial things that must be planned & implemented for a FedRAMP compliance system. Traffic must be strictly controlled, with only permitted network traffic allowed to transit the perimeter firewall. Deny-All specific rules need to be in place, allowing only permitted traffic.

This is accomplished by having specific rule sets to only permit those specific ports, protocols, & services that are required for the system to function. The principle of least privilege must be used, and firewalls configured such that the ANY-ANY rule is placed at the bottom below the DENY-ALL rule. This is crucial for ensuring that not all traffic is allowed into the system boundary.

IPS/IDS

Intrusion Protection Systems (IPS) or Intrusion Detection Systems (IDS) are required to be implemented within the FISMA/FedRAMP boundary. This is covered in the System & Information Integrity SI-4 control. IDS and IPS can be separate devices or built-in to edge firewalls (e.g., so called “Next Generation” Firewalls) depending on the manufacturer.

The difference between the two is simple: an IPS can block network traffic both inbound or outbound whereas an IDS just detects the network traffic going in or out of the boundary. An IPS is installed inline so that it can effectively inspect all network packets and block unauthorized traffic based on rules or signatures that can be customizable. An IDS is passive and just monitors all the traffic going in & out of the perimeter firewalls. IDS can also be installed off span ports on firewalls that capture network packets or firewall traffic.

Think of IPS rules as the outer doors to your home. You want to have those doors secure with locks, steel deadbolts etc. Only those individuals authorized with keys or combinations can enter.

The same principle should be applied to setting up & configuring IPS on your perimeter devices. Having IPS specific rules for blocking potential well-known attacks (e.g., SQL injection, insecure protocols allowed security misconfiguration etc.) helps to solidify the security of the boundary and the information system. An IDS in the same illustration would be a doorbell camera that shows what traffic is entering and leaving but does nothing to prevent or block unauthorized entry.

Signature- vs Heuristics-Based Detection

A key thing to remember when implementing an IPS or IDS for boundary protection/detection is that FedRAMP requires that both signature- and heuristics-based approaches must be applied. Signature-based protections defend against well-known attacks. Heuristics-based detection uses several different techniques to identify potential attacks, including zero-day attacks. A zero-day attack is an unknown attack that an attacker has exploited that a signature has not been created for the unknown attack vector. Establishing baselines assists in heuristics-based protection by detecting any anomalies from the established baseline of typical events.

Host-Based System Security

Trellix ePolicy Orchestrator (ePO) – also called the Host-Based-Security-System (HBSS) – is an all-in-one solution that can be used for Windows & Linux based systems. HBSS allows a customer to add modules such as Host-Based-Intrusion-Detection/Protection (HIDS/HIPS) as well as antivirus solutions. This suite of tools allows the customer to customize and implement the solutions that are required for the security of the system environment as well as meet FedRAMP control parameters.

Centrally managing all systems with one product provides easier monitoring and management of systems to ensure security compliance. When you separate host security into different solutions it can be a logistical nightmare depending on the number of components within the information system boundary. The benefits of using host-based detection & protection is that you can restrict what system components can communicate with each other in a layered defense-in-depth approach.

By having that layered defense-in-depth approach, if one layer is breached by an adversary, they are hopefully blocked by that second layer while security personnel are being alerted. Going back to the example above about locks & doors to protect the boundary, think of the host-based protection as a watchdog or a security guard. If that first barrier or layer is breached (locks, deadbolts etc.) there is still additional protection. Setting up host-based firewall rules takes time but is worth the cost & manpower to implement to have a secure information system.

Alert Notifications

Notifications & central monitoring/alerting is just as important as having detection or protection in place. If neither alerting nor monitoring is in place, then security staff might remain oblivious to ongoing cyberattack activity.

That said, for FedRAMP it is important for compliance that no metadata goes outside of the boundary. This includes hostnames, IP’s, usernames etc. If emails are being sent outside of the boundary to alert personnel of potential incidents or anomalies, they must be stripped of this metadata. As an example, if an alert message must be sent to a system outside the FedRAMP boundary, the message contents must be restricted to something like “look in the IDS console for a potential risk”.

Contact Us to Get Started

Ensuring that boundary & host-based protection is essential to securing the system boundary. Contact 38North Security for all your advising needs to secure your system at the boundary and system component level as well as getting the system audit ready!

About the Author
Phil Dennison