Network Security: Taking a Positive ApproachDecember 11, 2014 Leave your thoughts
As we continue to blur the lines between our office and home networks, it is important as network administrators to consider the increasing security risks.
Gone are the days when simply-crafted malware attacks acted in a predictable way. The growth of technology has increased the options and skills available to the potential bad guys, with sites on the DarkNet offering a variety of powerful malware and vulnerability attack tools akin to browsing a supermarket aisle.
In many small and mid-size organisations multi-tasking is normal. It’s not uncommon that the guys managing IT systems are also the network engineers as well as the security experts.
In a world where there is always too much to do, deploying standard network security protocols can seem like a reasonable time- and resource-efficient option. However, this can be a dangerous approach as protecting your perimeter, and the all-important data in your system, should be nothing less than a top priority.
If recent events have taught us anything (Sony, Microsoft), it’s that all businesses are vulnerable to cyberattack, both large and small, and whilst basic security provision may offer some protection, having your business critical systems compromised can be costly to your business in real cash terms and reputation.
A default stance for many when deploying firewalls is to use a negative approach to creating firewall rules rather than a positive approach, especially when defining outbound rules as it’s quick and easy to do.
Limited Outbound Network Security
It can be common to find limited outbound security rules, such as:
- Block BitTorrent
- Block Peer-to-Peer
- Permit ALL other traffic
Or sometime, simply:
- Permit ALL traffic out (because this is the default setting to allow rapid start-up)
Within the first example you have defined which protocols you don’t want to pass out of your network and thus all others are permitted…what!? Hold on just a second.
Using this framework, even the unknown applications lurking in the dark that you don’t know exist on your network, can gain access. Not Good.
So, What’s the Alternative?
OK, so in taking a POSITIVE rather than a NEGATIVE approach, it would make more sense to:
- Allow FTP from certain internal addresses to certain external addresses
- Allow SMTP from email servers only
- Allow web browsing
- Deny ALL other traffic and log it
Thus, any unknown traffic streams that are malicious – or even just unknown – will be stopped whilst maintaining a positive access approach to the traffic we trust.
I’ll admit, deploying network security in this fashion can be a bit more painful and a lot more planning needs to go into your firewall deployment. However, careful planning and firewall deployment are two phrases that should always go hand-in-hand.
The Road to Positivity
As a quick guide…
- First, identify your known business applications; there are lots of obvious ones like email, web browsing etc, but you may also use custom applications which should be defined
- Second, define firewall rules allowing these specific traffic streams
- And third, permit ALL other traffic and Log it
Once these initial steps are complete, review the logs and identify any other applications that may have been missed and add these to your permitted applications. In time you will be able to remove your Permit ALL line and change it to a Deny ALL.
*After a major change such as this, you will need to be alert to traffic getting blocked that should in fact be permitted (of course, your users will be quick to shout when this happens). In this scenario you should now have confidence that only permitted applications will pass out of your business network…although this may not be entirely true (See Part 2, coming soon).
In Part 2
Based on what we have just learnt, we must now consider the weakness in traditional port based firewalls when compared with the offerings of the latest Next generation Application Firewalls.
enterprise network security, enterprise networking, Palo Alto Firewall, wireless lan security