Implementing Best Practices

Log events related to all applications, the load balancing software, and the host operating system.

Alert on:

1. Administrative access from public sources.

2. Administrative logins from new sources.

3. Security policy violations related to administrative and application access.

4. Connections from and to new geographies.

5. Unscheduled changes to configurations and network policies.

Block administrative access from public networks.

Block unsolicited connections to public systems unless required for an application to operate.

Limit administrative access to authorized, trained personnel.

Deploy load balancers in segments dedicated to application hosting.

Disable unused load balancing features.

Disable unused software related to the host operating system. Conduct load balancing from a dedicated system that does not perform other functions.

Log network traffic using either flows or packet captures. 1.Alert on:

1. Long-lived network sessions.

2. Sessions that move substantial amounts of data.

3. Network sessions that are absent from other system activity logs.

4. Software crashing, stopping, or restarting.

Block administrative access from internal networks other than segments used for administrative work or bastion hosts.

Block unsolicited connections to internal systems unless required for an application to operate.

Deploy a database firewall or similar application layer policy enforcement. Restrict application calls to the minimum set necessary for operation.

Restrict admin users to specifically authorized objects related to their role via role-based access control features.

Restrict any superuser accounts to "break-glass" usage.

1. Configure complex, random passwords for superuser accounts.

2. Provision unique privileged accounts for each authorized administrator.

Deploy load balancers in dedicated network segments.

Deploy application servers in dedicated segments.

Uninstall unused software features if supported.

Implement behavior analysis.

1. For internal applications (public applications may make these analytics difficult):

   1. Alert based on "superman" user access rules, e.g., from impossible geographic sources based on time and distance.

   2. Track geography, source IP, destination IP, session duration, and transfer sizes per device and user with anomaly alerting.

   3. Alert for new or rarely used user agents per user.

Track administrator access patterns and actions taken, with alerts for abnormal behavior.

Redirect unencrypted sessions to use encrypted application access or block unencrypted connections.

Disable default system accounts, and utilize unique credentials for each load balancer within a cluster.

Deploy a secure administrative zone and lock administrative access down to this zone.

Segment load balancing operations across zones dedicated to specific applications.

Use separate, dedicated application firewalls instead of all-in-one solutions deployed within a load balancing system.

Use multiple different load balancing solutions for the greatest security.

Harden configurations using guidance from a government, third-party, or vendor source as much as possible.