Firewalls have been an integral part of the enterprise security portfolio almost from the time organizations first began putting up controls to protect network resources. Despite growing questions about how effective they really are in blocking advanced persistent threats and other emerging attack methods, many organizations still consider firewall technologies to be the most effective first line of defense against intruders.
Increasingly though, the effort is to make the firewall part of a broader multi-layered perimeter defense that includes technologies like sandboxing, security information and event management tools, and log event coordination systems.
Here are some key ways to get the most out of your firewall technologies amid today's rapidly change threat environment:
Performance-test your firewalls
Don’t judge your firewall just by how it performs in its default state, says Kasey Cross, security expert at A10 Networks.
A lot of the applications and services that used to be hosted in the data center are SaaS and cloud-based these days. The packets of traffic generated by mobile devices such as smartphones and tablets that need network access have added to the volume of traffic that must be vetted at the network edge.
Security devices that are ill-equipped to handle the volume and the somewhat unpredictable nature of the traffic can end up seriously increasing latency and degrading the performance of critical applications and services. Firewalls these days have a much bigger load to handle than before, Cross notes. So it is vital to ensure that your firewalls are up to the task.
“Consider how your policies impact performance. Make sure policies are written in such a way they don’t slow down performance,” she says.
Test the performance capabilities of your firewall when all rules are configured, not when it's in its default state.
Inspect the encrypted stuff
Make sure you can inspect all traffic including the encrypted stuff, Cross says. A lot of the traffic entering and exiting a network use Secure Sockets Layer (SSL) and Secure Shell (SSH) encryption to protect data in transit. While that’s generally a good thing, the problem is that threat actors also use encryption to hide malicious activity and to conceal communications with compromised systems. By some estimates, more than one third of all traffic that hits a corporate network is encrypted. Without a way to decrypt the traffic, your firewalls are going to be blind to any attacks that a threat actor might slip in via encrypted traffic or to any data extraction that might be going on the same way as well, she says.
While some newer firewalls are able to decrypt and inspect encrypted traffic, many do not. If your firewalls fall into the latter category, it’s a good idea to have a way to intercept the SSL traffic before it hits your firewall so it can be inspected before being re-encrypted and sent to its destination.
Several vendors sell proxy servers that do the interception at a high enough speed there is no degradation in performance. If you don’t want to, or cannot inspect all encrypted traffic that is entering or exiting your network, you instead can specify traffic the traffic you do want to look at by source or by destination.
Role-Based Access Control
Consider implementing role-based access control to regulate access to network assets and services says James Cabe, manager sales engineering for national partners at Fortinet. And use strong user authentication to enforce the policy, he says. The goal is to assign and authorize access to the network resources based on a user’s role within the organization.
Users will have varying degrees of access based on their role and the associated requirements of that role, Cabe says. It allows administrators to permit or restrict access to network resources based on whether someone is an employee, a temporary worker or a contractor.
It’s a good idea to try and adopt the principal of least privilege when provisioning access to network resources, he says. This ensures that the user has the minimum access required to perform the functions of a particular role, while restricting all other access.
Role-based access offers more granular control than a group-based model where all individuals within the same group have the same access rights. “Role-based policies travel with people,” Cabe says. “It makes sure that you have a role on the network and that is it trackable and that you have least access” for the particular role.
Block the new threats
If you are not doing full content-filtering, make sure you are protected against risky low reputation sites and recently launched ones, says Alan Toews, technical product manager at Sophos. Phishers and other threat actors often use just-registered sites to launch attacks against their targets. Often the sites are used just for the duration of a phishing campaign and then quickly abandoned. So looking for and filtering sites that have only been recently registered is a good way to mitigate the threat posed by phishing and other malware threats
If you're not doing full content inspection, block things like Web advertisements, which are a very common threat vector, Toews says. Malvertising, the practice by threat actors to use malicious ads to infiltrate computer systems, has emerged as a critical security problem on the Internet. Even so, organization may want to make their own decisions when it comes to ad blocking, he says.
“I’m not making a blanket statement that you should block Web advertisements,” he notes. “It’s your choice to block or not block, but it’s something you might want to consider,” if not blocking entirely then at least to have some policies around them, he says.
Review your rules
Make sure to audit and review your firewall rules periodically. You might have started with a relatively clean set of rules and strict policies for blocking things at the network edge. But over time rules have a way of becoming obsolete, redundant and conflicting, according to Cross. They also have a way of becoming a lot more permissive than the original rules set.
It is not unusual at all for firewall administrators to start adding rules to accommodate requests from internal users about rules that might be preventing access to resources they legitimately need. Over time, such requests can make your rules base a lot less clean than it was when you started out and before you know it you are allowing in traffic that you previously would have restricted.
Conflicting rules and misconfigurations are bad enough when you have just a handful of firewalls to manage. But they become a lot harder to catch in organizations that have numerous firewalls and administrators.
Generally, it is a good idea to review your rule sets every six months. Remove the obsolete, the unused, and expired rules, she says. When adding new rules, make sure to look at existing rules first so they don’t duplicate or conflict with something that might already be in place.