RECOMMENDED SECURITY BEST PRACTICES

 
This section outlines recommendations on security related best practices for VSP. These instructions are
applicable for the VSP infrastructure components (such as CMS and Remote VRule Engine) in VM-based
or cloud-based environments.
 
The recommended best practices are: 
1. Security of cloud/infrastructure where Virsec services are running 
1. Disable API access and secret keys for all the cloud root and default accounts with
superuser privileges 
2. Combine the cloud platform security features with the existing Infrastructure components
3. Perform regular security assessments on the instances and patch the vulnerabilities
regularly
4. Use Bastion hosts to enforce control and visibility to instances where Virsec services are
running
5. Use Bastion hosts to enforce control and visibility to instances where Virsec services are
running
6. Disable services and protocols to authenticate users in clear text over the network
insecurely or otherwise
2. Security of instances where Virsec services are running
1. Avoid using shared accounts to provision and access instances where Virsec services
are running
2. Avoid exposing VSP services on public IP. If required, restrict the access to instances
from limited IP ranges using firewall rules
3. Within local VPC/private networks, access to the Virsec services must be limited using
the firewall rules
4. Launch instances from trusted and validated images only
5. Configure sshd to allow only public key authentication on instances where Virsec
services are running
6. Ensure that .pem/.ppk file on the user machine is password protected
7. Rotate credentials to instances where Virsec services are running. Enforce complex
passwords and a strong rotation policy
8. Do not execute any other services on instances where VSP CMS and AE services
running unless required by VSP
3. Securing access to CMS
1. Integrate with authentication services like LDAP or SAML to give users access to CMS
2. Do not share accounts, instead create a named account on CMS with privileges assigned
on a need-to-know basis using the RBAC feature on CMS
DEPLOYMENT MILESTONES

 
Deployment Stages

1. Deploy VSP servers: CMS, LFR and Remote V-rule engine (optional).

2. Deploy VSP Agents on identified business servers.

3. Collect server & app inventory and plan for profiles and ACP rules – Expected from customer

4. Enable Host profiles.

• Whitelist, exclude, tune ACP rules.

• Detect mode till 1 incident free week

• Protect mode

5. Enable Web Profiles.

• Deep instrumentation

• Detect mode - 1 week

• Protect mode

Possible Challenges

• Ensure hardware and network requirements are fulfilled.

• Agents can communicate with CMS over http and https ports. If they pass via proxy, need to add
certs if applicable.

• Exclude VSP from any existing security products.

• RMP can be treated as threat by other security products and can lead to server hung situation.
Excluding VSP files and folders from other products will solve the problem.

• Agents adds host file entries. Can we avoided if DNS records can be created.