01:30 PM
Connect Directly

5 Tips For Getting The Most Out Of Your Firewall

Despite concerns over the effectiveness of perimeter technologies, firewalls remain a staple in the enterprise security arsenal.

Firewalls have been an integral part of the enterprise security portfolio almost from the time organizations first began putting up controls to protect network resources. Despite growing questions about how effective they really are in blocking advanced persistent threats and other emerging attack methods, many organizations still consider firewall technologies to be the most effective first line of defense against intruders.

Increasingly though, the effort is to make the firewall part of a broader multi-layered perimeter defense that includes technologies like sandboxing, security information and event management tools, and log event coordination systems.

Here are some key ways to get the most out of your firewall technologies amid today's rapidly change threat environment:

Performance-test your firewalls

Don’t judge your firewall just by how it performs in its default state, says Kasey Cross, security expert at A10 Networks.

A lot of the applications and services that used to be hosted in the data center are SaaS and cloud-based these days. The packets of traffic generated by mobile devices such as smartphones and tablets that need network access have added to the volume of traffic that must be vetted at the network edge.

Security devices that are ill-equipped to handle the volume and the somewhat unpredictable nature of the traffic can end up seriously increasing latency and degrading the performance of critical applications and services. Firewalls these days have a much bigger load to handle than before, Cross notes. So it is vital to ensure that your firewalls are up to the task.

 “Consider how your policies impact performance. Make sure policies are written in such a way they don’t slow down performance,” she says.

Test the performance capabilities of your firewall when all rules are configured, not when it's in its default state.

Inspect the encrypted stuff

Make sure you can inspect all traffic including the encrypted stuff, Cross says. A lot of the traffic entering and exiting a network use Secure Sockets Layer (SSL) and Secure Shell (SSH) encryption to protect data in transit. While that’s generally a good thing, the problem is that threat actors also use encryption to hide malicious activity and to conceal communications with compromised systems. By some estimates, more than one third of all traffic that hits a corporate network is encrypted. Without a way to decrypt the traffic, your firewalls are going to be blind to any attacks that a threat actor might slip in via encrypted traffic or to any data extraction that might be going on the same way as well, she says.

While some newer firewalls are able to decrypt and inspect encrypted traffic, many do not. If your firewalls fall into the latter category, it’s a good idea to have a way to intercept the SSL traffic before it hits your firewall so it can be inspected before being re-encrypted and sent to its destination.

Several vendors sell proxy servers that do the interception at a high enough speed there is no degradation in performance. If you don’t want to, or cannot inspect all encrypted traffic that is entering or exiting your network, you instead can specify traffic the traffic you do want to look at by source or by destination.

Role-Based Access Control

Consider implementing role-based access control to regulate access to network assets and services says James Cabe, manager sales engineering for national partners at Fortinet. And use strong user authentication to enforce the policy, he says. The goal is to assign and authorize access to the network resources based on a user’s role within the organization.

Users will have varying degrees of access based on their role and the associated requirements of that role, Cabe says. It allows administrators to permit or restrict access to network resources based on whether someone is an employee, a temporary worker or a contractor.

It’s a good idea to try and adopt the principal of least privilege when provisioning access to network resources, he says. This ensures that the user has the minimum access required to perform the functions of a particular role, while restricting all other access.

Role-based access offers more granular control than a group-based model where all individuals within the same group have the same access rights. “Role-based policies travel with people,” Cabe says. “It makes sure that you have a role on the network and that is it trackable and that you have least access” for the particular role.

Block the new threats

If you are not doing full content-filtering, make sure you are protected against risky low reputation sites and recently launched ones, says Alan Toews, technical product manager at Sophos. Phishers and other threat actors often use just-registered sites to launch attacks against their targets. Often the sites are used just for the duration of a phishing campaign and then quickly abandoned. So looking for and filtering sites that have only been recently registered is a good way to mitigate the threat posed by phishing and other malware threats

If you're not doing full content inspection, block things like Web advertisements, which are a very common threat vector, Toews says. Malvertising, the practice by threat actors to use malicious ads to infiltrate computer systems, has emerged as a critical security problem on the Internet. Even so, organization may want to make their own decisions when it comes to ad blocking, he says.

“I’m not making a blanket statement that you should block Web advertisements,” he notes. “It’s your choice to block or not block, but it’s something you might want to consider,” if not blocking entirely then at least to have some policies around them, he says.

Review your rules

Make sure to audit and review your firewall rules periodically. You might have started with a relatively clean set of rules and strict policies for blocking things at the network edge. But over time rules have a way of becoming obsolete, redundant and conflicting, according to Cross. They also have a way of becoming a lot more permissive than the original rules set.

It is not unusual at all for firewall administrators to start adding rules to accommodate requests from internal users about rules that might be preventing access to resources they legitimately need. Over time, such requests can make your rules base a lot less clean than it was when you started out and before you know it you are allowing in traffic that you previously would have restricted.

Conflicting rules and misconfigurations are bad enough when you have just a handful of firewalls to manage. But they become a lot harder to catch in organizations that have numerous firewalls and administrators.

Generally, it is a good idea to review your rule sets every six months. Remove the obsolete, the unused, and expired rules, she says. When adding new rules, make sure to look at existing rules first so they don’t duplicate or conflict with something that might already be in place.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/30/2015 | 6:53:40 PM
And IPv6
And wat about IPv6 and logins?
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.