Video Screencast Help

SCSP - Management Server topology to maintain zone-segregation of endpoints

Created: 08 Jan 2013 • Updated: 13 Jan 2013 | 4 comments
This issue has been solved. See solution.

Struggling to find any information about SCSP management server topologies to maintain segregation (as distinct from high-availability)

I am working with a client that has both public facing and highly restrictive systems, and currently has a high degree of segregation between them (e.g. no direct connections from a low security zone to a high security zone, management must reside in a zone which is at least as secure as the zones it is managing)

If the standard SCSP topology was used, agents in both low and high security zones could initiate connections to the same management server. This introduces the possibility that tomcat and/or network stack vulnerabilties could be exploited and used to cross between zones. While this risk is probably low, it would be preferable to avoid it by using separate management servers for low and high zones. It would be preferable to maintain a single pane of administration (i.e. shared database) to avoid additional operational management complexity. i.e. Agents in each security zone connect to management servers in that security zone, all management servers connect to single database in a database zone as per

Are there any existing patterns for this kind of topology, or an alternative solution that would address this risk?

Comments 4 CommentsJump to latest comment

Alex_CST's picture

Would encryption of the communication between agent and management server negate those concerns?  Because that is an option

Please mark posts as solutions if they solve your problem!

Capriole's picture

Encryption only solves part of the problem - it would protect the content of SIEM events from being disclosed.

But it don't believe it provides protection against the management server being exploited from a low security zone, and then being used to compromise agents in more secure zones.

It would be useful to know if, and how, the management server authenticates the agent. If connections from agents are authenticated using a mechanism that is not susceptible if the agent computer is compromised, then that might be appropriate mitigation.

Conventus Tyrrell's picture

All communications between the agent and management server are secured via ssl (the agent-cert.ssl file you specify during agent installation). I typically utilize CSP on the management server itself to secure it from buffer overflow/thread injection attacks. I also ensure we are protecting system files from modification. I have been involved in several pen-tests and have yet to see a management server be compromised and used against other assets.

Chris Tyrrell

Conventus Corp.

Capriole's picture

Okay - so the primary mitigation for this is to run a CSP Agent on the management server itself with file system protection on - that seems reasonable - thanks for your input.