Firewalls are complex beasts today.
A firewall is usually your first line of defense against the hordes of attackers, scripts, bots, and other malware out on the Internet. Firewalls used to be dedicated appliances that looked at ‘What device is sending traffic, and where is it sending it to?’ You’ll hear this called a ‘port-based firewall’ or a ‘traditional firewall’. This information would then be matched up against a rule, and be permitted or denied. Fairly simple in concept – but managing these port-based rules can be complex, and mistakes are easy to make – or to miss. Configurations can be hard to keep up to date, obsolete or unnecessary rules are often not identified or removed – it isn’t uncommon to see 200 rules on a firewall that is only using 20 – and the rest are really unnecessary risks.
This situation is magnified with today’s firewall.
The modern ‘Next-Generation Firewall’ (NGFW) still checks all of the old style rules, but also has lots of new options and capabilities. Firewalls can ask (and answer) questions like ‘What kind of application is sending and receiving this traffic?’, ‘Does this file contain a virus?’, ‘Should this email be marked Spam?’, ‘Is this really a website that should be visited from the workplace’ – and others. Generally, NGFW options include include; AntiVirus and Antispam, web/URL filtering (by category, reputation, or both), user-based access roles (Windows User ID, for example), advanced Intrusion Detection and/or Prevention capabilities, Data Loss Prevention techniques (DLP), SSL decryption and inspection for encrypted sites, and even file analysis of unknown files – called sandboxing or detonation.
Whew. That’s a ton of functionality – what a mouthful. And with all that functionality comes complexity. All these new features need to be configured – they need to match your corporate security policy, they need to be functional, and your network still needs to be usable. And since many organizations were falling behind and just not able to pay attention to the (comparatively) simply old-style rules, all of these new options seem to present an insurmountable obstacle – many organizations are buying new, capable firewalls and just copying their old rules. Not getting subscriptions for IPS, or for sandbox/detonation subscriptions – and it’s not because they don’t want it, but because they can’t keep up with the care and feeding of the firewall.
Look at the Internet today, it’s filled with bots and malware! Leave any device exposed on the Internet with a ‘login’ capability for any length of time – often just a few minutes – you can quickly see how often random login attempts happen – the answer is ‘a lot’. And those are just the events that are easy to see. If you aren’t using these advanced features on your firewall, well….. These attacks are happening regardless, and the unfortunate part is that without the right set of security measures, you have no way to tell… until afterwards.
These features are built into the newest firewalls because they are important, and necessary – and they do make a big difference in your network security.
What does all this really mean?
Well, the bad guys have gotten better and better over the years at attacking your network, your PCs, your email, your users – new problems crop up all the time. You may remember names like WannaCry, Heartbleed, Code Red, ILOVEYOU, Cryptolocker – the list goes on and on and on – and there will certainly be more.
All of this new functionality in your firewall is intended to give you the opportunity to protect yourself. Application ID, User ID, URL Filtering, Antivirus, Antispam, DLP, SSL Decryption, IDS/IDP, and Sandboxing are all designed to work together and make your network safer. Specific networks may only need some of these, some may need them all – but it’s difficult to imagine a scenario where none of these features are adding value.
In The Real World – these features work.
May 12th, 2017 : WannaCry hits the Internet. Many organizations are impacted across the world, – one of the more prominent victims being the National Health Service in the United Kingdom, but victims are found in both small and large organizations, all over the world. The malware was spread to huge numbers of machines in a very short time – and many users who paid the ‘ransom’ for their encrypted data never received a decryption key. This type of disaster is a problem for any organization – but there are approaches to mitigate and even prevent it.
Operating system-level solutions to this ransomware were complex. The ‘simple’ solution was to have every machine in an organization patched and completely up to date. This is a fine objective, but the reality in many organizations is that complete currency isn’t possible – the testing and deployment isn’t always easy, can’t always be automated, and – just like managing a firewall, it falls behind. You could ask for 100% cyber-security aware users where no one is going to open a suspicious attachment or click on a bad link – and this really isn’t going to happen either. Social engineering attacks can include malware like Wannacry – and some of them can be extremely sophisticated – and people make mistakes. It happens.
The other approach needs your firewalls and security posture to be up to date.
Fortinet, Palo Alto Networks, and Juniper Networks, as examples, all have analysis and remediation engines within their product lines that identify, block, and quarantine unknown, malicious traffic. Did you know that all three companies successfully detected and *prevented* WannaCry attacks during the initial period where the attack wasn’t successfully identified, and signatures hadn’t yet been developed and spread yet? The blogs for each vendor’s response are still available on their respective websites. Zero-Day prevention – the prevention of an attack as it occurs, before any time has elapsed to obtain published signatures and responses – for WannaCry was available with all three vendors.
Various degrees of live or short-term reactive protection were available for active subscription users with combinations of a Sandbox subscription, IDP/IPS subscription feeds, and AntiVirus/Antimalware/Antispam feeds. Some combinations were effective on ‘live’ traffic – some may have a taken a few hours to get a signature developed and pushed down to your box – depending on your update schedules.
If you only had a traditional port-based firewall – well… you still aren’t protected even today.
The short form – these features work, and provide significantly better security for your company. All of these firewalls and associated capabilities will do a significantly better job than the old-style port-based firewall at keeping your network secure – and letting you sleep better at night.
So who is going to configure all this?
There is a downside to all these new capabilities, and it’s a challenge that almost all of us face – time, effort, and expertise.
Let’s take application identification for surfing the web – sounds simple. ‘Take this port 80 traffic – the standard port for surfing web pages – and make sure it’s valid ‘web-surfing’ traffic.’ Sounds great – all done – except there’s a problem. You installed Super Anti-Virus on all your desktops. Now, when they go to get updates, they use the SuperAV web-page. Port 80! But what they are sending isn’t standard ‘web-surfing’ traffic – it is a different application. If you don’t know that, then you probably didn’t add the application to your rule, and now no one is getting antivirus updates. You need to go add ‘SuperAV Update Application’ to your firewall rule.
And that’s just one application in one rule; how many applications run in your company? Then you probably need to look at Anti-virus and Anti-spam rules right on the firewall, along with URL filtering – and Intrusion Detection – every major vendor has IDP on the firewall now, and it’s a major component of modern security – you really should be using it.
Everyone sees this problem – it was hard enough to keep up with the security rules on firewalls 10 years ago – now it’s becoming impossible. You can design something, and implement it , but the odds are really high that it’s going to get out of date quickly, rules won’t be updated, holes won’t be covered, code updates may not happen – and if it gets out of date, your firewall simply can’t be as effective as you need it to be.
Not to mention, we haven’t even started to account for the time it’s going to take to get people trained on these firewalls – to learn about all these features, and how to configure them, manage them, monitor them, and to stay on top of new capabilities as they arrive!
There’s help available
Lanworks has a trained staff who do a lot of ‘care and feeding’ for firewalls, and we do have customers who leverage that skill on an ‘on-call’ basis but there is a better way – engage in a Managed Firewall program – Lanworks offers managed firewall capabilities for several firewall manufacturers.
Get your firewall’s rulesets, IDP posture, and application configurations reviewed and validated on a regular basis, including an annual Security Posture assessment.
Ensure your firewall code is kept current and have regularly scheduled maintenance windows so you can be confident that you perimeter is kept secure.
You have access to both regularly scheduled changes and emergency remediation when new threats appear on the Internet.
You get regular reports on traffic and application use, and vulnerabilities and threats detected and blocked.
Complete firewall configuration top-to-bottom, including logging and history, hardware reporting and management, remote-user access VPN and site-to-site VPN configuration and monitoring , Intrusion Detection and Prevention, Application Identification, Anti-Virus, Anti-Spam, Site Reputation, Sandboxing, URL Filtering, Active-Directory Integration, High-Availability configurations, and monitoring and fault management are all available in one simple package.
We have specialists on various firewall platforms – and it doesn’t take time away from your corporate projects and activities for us to do the management and configuration work for you – logging, backups and archives, total currency assurance across the perimeter of your network – free up your IT department to work on go-forward business while maintaining better confidence and assurance that your firewall edge – the most exposed part of your network – is being managed and reviewed and kept up to date by a team you can trust.
This program is available both for firewalls that you already own – as long as it’s a vendor we support, we can look after it for you – or Lanworks can provide a fully-managed hardware turnkey solution customized to match your companies security policies.
If you don’t have a well-established security policy document, or you are unsure what standards to design your firewall rules against – perhaps security audit is giving you headaches over it – Lanworks can help you with frameworks and policies to get you started.
One firewall, two firewalls, 10 firewalls, 100 firewalls – leverage your time, your staff’s time, and current, capable firewalls that leverage all the ‘nice-to-have’ functionality that you know you really need but just can’t manage to get completed with our Managed Firewall services.
