Positive Firewall & Network Security
By Jim Lucking on 12th Feb 2015
As we continue to blur the lines between our office and home networks, it is important as network administrators to consider the increasing security risks. Gone are the days when simply-crafted malware attacks acted in a predictable way. The growth of technology has increased the options and skills available to the potential bad guys, with sites on the DarkNet offering a variety of powerful malware and vulnerability attack tools akin to browsing a supermarket aisle.
In many small and mid-size organisations multi-tasking is normal. It’s not uncommon that the guys managing IT systems are also the network engineers as well as the security experts.
In a world where there is always too much to do, deploying standard network security protocols can seem like a reasonable time- and resource-efficient option. However, this can be a dangerous approach as protecting your perimeter, and the all-important data in your system, should be nothing less than a top priority.
If recent events have taught us anything (Sony, Microsoft), it’s that all businesses are vulnerable to cyberattack, both large and small, and whilst basic security provision may offer some protection, having your business critical systems compromised can be costly to your business in real cash terms and reputation.
A default stance for many when deploying firewalls is to use a negative approach to creating firewall rules rather than a positive approach, especially when defining outbound rules as it’s quick and easy to do.
Limited Outbound Network Security
It can be common to find limited outbound security rules, such as:
- Block BitTorrent
- Block Peer-to-Peer
- Permit ALL other traffic
Or sometime, simply:
- Permit ALL traffic out (because this is the default setting to allow rapid start-up)
Within the first example you have defined which protocols you don’t want to pass out of your network and thus all others are permitted…what!? Hold on just a second.
Using this framework, even the unknown applications lurking in the dark that you don’t know exist on your network, can gain access. Not Good.
So, what's the alternative?
OK, so in taking a POSITIVE rather than a NEGATIVE approach, it would make more sense to:
- Allow FTP from certain internal addresses to certain external addresses
- Allow SMTP from email servers only
- Allow web browsing
- Deny ALL other traffic and log it
Thus, any unknown traffic streams that are malicious - or even just unknown - will be stopped whilst maintaining a positive access approach to the traffic we trust.
I’ll admit, deploying network security in this fashion can be a bit more painful and a lot more planning needs to go into your firewall deployment. However, careful planning and firewall deployment are two phrases that should always go hand-in-hand.
The road to positivity
As a quick guide…
- First, identify your known business applications; there are lots of obvious ones like email, web browsing etc, but you may also use custom applications which should be defined
- Second, define firewall rules allowing these specific traffic streams
- And third, permit ALL other traffic and Log it
Once these initial steps are complete, review the logs and identify any other applications that may have been missed and add these to your permitted applications. In time you will be able to remove your Permit ALL line and change it to a Deny ALL.
*After a major change such as this, you will need to be alert to traffic getting blocked that should in fact be permitted (of course, your users will be quick to shout when this happens). In this scenario you should now have confidence that only permitted applications will pass out of your business network…
Now I would like to discuss a holistic approach combined with granular security….
It’s all well and good identifying the applications that you want to pass out of your perimeter firewall as this gives you much finer control of implicitly allowing the 'good' traffic and blocking the 'bad', rather than the default stance of blocking some bad and allowing the rest - which may indeed be good or bad.
In an ideal world, where we all play by the rules and we all send the correct traffic on the correct ports, this is fine, but let’s not be naive here. As in society at large, its only the good guys who play by these rules.
The bad guys, the guys who want to compromise our network and glean our data, do whatever they can to evade and bypass the security we have.
If you are still using a standard 'statefull' firewall rather than a Next Generation Firewall (NGFW) you are liable to be open to compromise, even if you are taking ‘a positive approach to security’. This is due to firewall rules - for actions such as allowing web browsing (http) - which can be can easily be hijacked by many other applications (malicious and legitimate) using the TCP port (80) that web browsing uses.
With a NGFW you are able to delve far deeper into the actual data packet rather than considering at a lower base layer what the TCP/UDP port is meant to be used for and trusting that it is this data that is actually being passed.
A NGFW has Application Level visibility to allow you, for example, to define specific applications that use the same port (say port 80) and thus allowing you to be very granular about such protocols as allowing standard web browsing (which is the default application on Port 80), whilst blocking applications like Facebook or Skype or a myriad of malicious programs and malware which could exploit open ports on traditional firewalls.
What could you be missing?
With a standard 'statefull' firewall on your network it can be interesting to see which ports are being used for traffic to pass out of your network. However, the first time you place a NGFW on a network using the same technique you will be amazed at just how many applications and services are passing through the network which were previously unbeknown - hopefully most these would be benign, but this is not always so.
Add to this the capability to view the data streams of individual users who appear in your Active Directory structure - rather than from IP addresses assigned to devices, which obviously change over time and are hard to track - you have some very compelling reasons to consider a NGFW.
Combining this detailed application visibility with specific user data allows you to be extremely granular in defining positive firewall rules. For example, Vic in Marketing and Bob in Sales are allowed to use Facebook, whilst general office staff cannot. The amount of control this provides is powerful and ultimately ensures that the perimeter security of the network can and will be as strong as possible.
Layered network security
Upping your game when it comes to security is a ‘must do’ on the list of all IT personnel responsible for a company network.
Despite the headline grabbing news of the recent months where Sony, amongst others, were well and truly compromised, it is not only the large corporations who are open to risk of security compromise (although they do make the best headlines). Small and medium businesses need to become much more aware of their security stance.
This is because these smaller businesses may not be as well staffed or skilled in the IT department, in fact they may not even have a dedicated IT resource at all. They also may well believe that they are immune to the hacks and security compromises as there are bigger more profitable targets for the hackers to concentrate on. Although this could be of course be true for some, there are a lot of automated tools that can be deployed to highlight vulnerabilities that really don’t care who you are; they just care what they can potentially gain from you.
With an ad-hoc approach to security - whether it be at the perimeter or in the use of outdated and not updated older operating systems and programs - a lack of centralised control of end devices, mis-configured or out of date malware protection, the expansion of BYOD and with it the requirement for everyone to have WiFi connectivity to the Internet (often without the correct segmentation and logging) may well lead to security problems…
...oh and of course, probably most importantly, a lack of awareness from your users about the best practices to follow.
So, a layered approach to security is one that works best.
- A positive approach to allowing only the correct data flows out of your network
- A tough inbound perimeter with only the minimum of inbound data flows permitted
- Consideration of moving to a NGFW
- Secure remote working solutions to allow for worker flexibility without compromising security
- Proper monitoring and logging of devices, whether this be a full MDM or other management solution
- Training and advice on best practices for your staff
- Segmentation and classification of different classes of users on your network
- Centralised updating and monitoring of updates for operating systems, key software packages and anti-malware programs
- A properly considered, designed and deployed Wireless network with secure BYOD if required
- And finally…review, review, modify, review. Nothing stays static, so once deployed your security will need constant love and attention to make sure it stays relevant, viable and secure
Here at Ensign we have a great deal of network security knowledge and carry some of the industry's leading firewalls from Palo Alto Networks, Cisco and Cisco Meraki. If you'd like to know more, I'd be happy to have a chat about your requirements. Jim.
If you are planning to deploy an enterprise-grade wireless network or are experiencing problems with a existing setup, please feel free to contact Ensign Communications for a chat with our technical team.
Proud Partners Of
Proud to Work With
Investing heavily in new distribution, logistics and staffing initiatives, Sainsbury's approached Ensign to provide wireless LAN infrastructures to hundreds of Sainsbury’s stores across the British Isles.
In order to meet increasing product demand, JLR’s UK parts distribution operation was moved to Liverpool, with plans to operate out of a new 400,000 sq ft site on the Phoenix Industrial Estate at Ellesmere Port.