Positive Firewall & Network Security: Part TwoFebruary 12, 2015 Leave your thoughts
In my previous blog I discussed the advantages of deploying a positive rather than negative stance to firewall security. Following up on this, I would like to discuss a holistic approach combined with granular security….
It’s all well and good identifying the applications that you want to pass out of your perimeter firewall (as mentioned in the previous blog) as this gives you much finer control of implicitly allowing the ‘good’ traffic and blocking the ‘bad’, rather than the default stance of blocking some bad and allowing the rest – which may indeed be good or bad.
In an ideal world, where we all play by the rules and we all send the correct traffic on the correct ports, this is fine, but let’s not be naive here. As in society at large, its only the good guys who play by these rules. The bad guys, the guys who want to compromise our network and glean our data, do whatever they can to evade and bypass the security we have.
If you are still using a standard ‘statefull’ firewall rather than a Next Generation Firewall (NGFW) you are liable to be open to compromise, even if you are taking ‘a positive approach to security’. This is due to firewall rules – for actions such as allowing web browsing (http) – which can be can easily be hijacked by many other applications (malicious and legitimate) using the TCP port (80) that web browsing uses.
With a NGFW you are able to delve far deeper into the actual data packet rather than considering at a lower base layer what the TCP/UDP port is meant to be used for and trusting that it is this data that is actually being passed.
A NGFW has Application Level visibility to allow you, for example, to define specific applications that use the same port (say port 80) and thus allowing you to be very granular about such protocols as allowing standard web browsing (which is the default application on Port 80), whilst blocking applications like Facebook or Skype or a myriad of malicious programs and malware which could exploit open ports on traditional firewalls.
With a standard ‘statefull’ firewall on your network it can be interesting to see which ports are being used for traffic to pass out of your network. However, the first time you place a NGFW on a network using the same technique you will be amazed at just how many applications and services are passing through the network which were previously unbeknown – hopefully most these would be benign, but this is not always so.
Add to this the capability to view the data streams of individual users who appear in your Active Directory structure – rather than from IP addresses assigned to devices, which obviously change over time and are hard to track – you have some very compelling reasons to consider a NGFW.
Combining this detailed application visibility with specific user data allows you to be extremely granular in defining positive firewall rules. For example, Vic in Marketing and Bob in Sales are allowed to use Facebook, whilst general office staff cannot. The amount of control this provides is powerful and ultimately ensures that the perimeter security of the network can and will be as strong as possible.
Upping your game when it comes to security is a ‘must do’ on the list of all IT personnel responsible for a company network.
Despite the headline grabbing news of the recent months where Sony, amongst others, were well and truly compromised, it is not only the large corporations who are open to risk of security compromise (although they do make the best headlines). Small and medium businesses need to become much more aware of their security stance.
This is because these smaller businesses may not be as well staffed or skilled in the IT department, in fact they may not even have a dedicated IT resource at all. They also may well believe that they are immune to the hacks and security compromises as there are bigger more profitable targets for the hackers to concentrate on. Although this could be of course be true for some, there are a lot of automated tools that can be deployed to highlight vulnerabilities that really don’t care who you are; they just care what they can potentially gain from you.
With an ad-hoc approach to security – whether it be at the perimeter or in the use of outdated and not updated older operating systems and programs – a lack of centralised control of end devices, mis-configured or out of date malware protection, the expansion of BYOD and with it the requirement for everyone to have WiFi connectivity to the Internet (often without the correct segmentation and logging) may well lead to security problems…
…oh and of course, probably most importantly, a lack of awareness from your users about the best practices to follow.
So, a layered approach to security is one that works best.
- A positive approach to allowing only the correct data flows out of your network
- A tough inbound perimeter with only the minimum of inbound data flows permitted
- Consideration of moving to a NGFW
- Secure remote working solutions to allow for worker flexibility without compromising security
- Proper monitoring and logging of devices, whether this be a full MDM or other management solution
- Training and advice on best practices for your staff
- Segmentation and classification of different classes of users on your network
- Centralised updating and monitoring of updates for operating systems, key software packages and anti-malware programs
- A properly considered, designed and deployed Wireless network with secure BYOD if required
- And finally…..review, review, modify, review. Nothing stays static, so once deployed your security will need constant love and attention to make sure it stays relevant, viable and secure
Here at Ensign we have a great deal of network security knowledge and carry some of the industry’s leading firewalls from Palo Alto Networks, Cisco and Cisco Meraki. If you’d like to know more, I’d be happy to have a chat about your requirements. Jim.
application layer firewall, enterprise network security, Palo Alto Firewall, palo alto networks