Links

Security Best Practices

By hosting PlexTrac on-premise, organizations gain greater control over customization and updates but are responsible for implementing and maintaining security measures. Since PlexTrac contains an organization's vulnerability and pentesting data, security is crucial for protecting sensitive data, complying with regulations, and ensuring business continuity.

Network and Host Security

Securing the deployment of PlexTrac encompasses various best practices, which can be categorized into two primary domains: network security and host security.
Network security protects data and resources' integrity, confidentiality, and availability within a computer network. It involves implementing various measures, policies, and technologies to prevent unauthorized access, data breaches, and cyberattacks on the network infrastructure. The primary goal of network security is to create a secure environment where data can be transmitted, stored, and accessed by authorized users while keeping malicious actors and threats at bay.
Host security refers to the measures and practices implemented to protect individual computing devices, such as servers, workstations, laptops, and mobile devices (endpoints). The primary objective of host security is to safeguard these devices from various cyber threats and unauthorized access, ensuring the confidentiality, integrity, and availability of the data stored on them.

Best Practices and Recommendations

Ensuring security for on-premise hosting is paramount in safeguarding sensitive data and critical systems within an organization's infrastructure. This section outlines essential best practices that organizations should consider when securing their hosting environments, providing a solid foundation for protecting valuable assets and maintaining the confidentiality, integrity, and availability of their information and services.

Network Protection

Before installing the PlexTrac product, the first step involves determining the optimal location for the host placement within the network. PlexTrac strongly advises against placing the product in the DMZ (demilitarized zone) or exposing it to the internet unless internet access is required.

Intranet Deployment

For only internal-facing instances, keep two ports open, while the rest can be closed via firewall rules in the environment. Here is an overview of ports that could be opened:
Port
Notes
443
This port is commonly used for HTTPS, the secure version of HTTP. It is accessed by users to connect to the PlexTrac instance securely over the internet. HTTPS ensures that the communication between the user's browser and the PlexTrac server is encrypted, providing higher security during data transmission.
80
Port 80 is typically used for regular HTTP connections. It redirects to port 443, which means that when users attempt to access the PlexTrac instance using HTTP (non-secure), the server automatically redirects them to the HTTPS (secure) version on port 443. Leaving port 80 open can help handle these redirects and ensure a secure connection.
22
Port 22 is the default SSH (Secure Shell) connection port. SSH is a secure protocol used for remote access to servers. It is used to manage, patch, and upgrade the PlexTrac instance. System administrators and authorized users can use SSH to log in to the server's command-line interface (CLI) and perform various administrative tasks.
To enhance security and prevent attackers from laterally moving to the PlexTrac instance through port 22, PlexTrac recommends implementing one or more of the following mitigation strategies:
  • Keep port 22 closed until management or patching is necessary. While effective, this approach may become an issue if prompt action is required on the host.
  • Implement MFA, RADIUS, or similar authentication mechanisms to provide an additional layer of protection. This will prevent attackers from exploiting password spraying or brute forcing techniques to access the host.
  • Configure the firewall rules to allow access from a jump host. This can work well when an environment is comprised of enterprise Windows hosts. Using LDAP to access the jump host, along with a strong password on the PlexTrac instance, helps to ensure that two factors are in place for access and enforcing AD policies on users who need to access the PlexTrac instance.

Internet Deployment

When making PlexTrac publicly accessible, the required ports remain the same as mentioned before (port 443 and port 80). However, exposing only port 443 to the internet is essential for enhanced security. Port 22, used for SSH access, should be treated with the same precautions as in the Intranet deployment and protected with appropriate mitigating measures. This helps safeguard the system against potential threats and unauthorized access.

Host Protection for the PlexTrac Instance

Organizations should follow hardening standards to protect the PlexTrac host from network-based attacks. Some effective approaches include:
  • Update the operating system (OS) often: It's crucial to update the host OS to patch vulnerabilities and keep the PlexTrac instance host up to date, reducing its vulnerability as much as possible.
  • Configure strong passwords: Configuring strong passwords for the root and plextrac user accounts is essential for enhancing security by preventing unauthorized access and reducing the risk of privilege escalation.
  • Use security tools: Configuring anti-malware software and logging tools for internal security teams to monitor the instance is crucial to bolster security. Configure antivirus and logging tools, but ensure exceptions exist for tools like Docker.
  • Restrict access to the host: Restricting access to the CLI is critical for security. Implementing firewall rules or access management solutions allows control over who can access the host.