Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/29/2015
01:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

5 Tips For Getting The Most Out Of Your Firewall

Despite concerns over the effectiveness of perimeter technologies, firewalls remain a staple in the enterprise security arsenal.

Firewalls have been an integral part of the enterprise security portfolio almost from the time organizations first began putting up controls to protect network resources. Despite growing questions about how effective they really are in blocking advanced persistent threats and other emerging attack methods, many organizations still consider firewall technologies to be the most effective first line of defense against intruders.

Increasingly though, the effort is to make the firewall part of a broader multi-layered perimeter defense that includes technologies like sandboxing, security information and event management tools, and log event coordination systems.

Here are some key ways to get the most out of your firewall technologies amid today's rapidly change threat environment:

Performance-test your firewalls

Don’t judge your firewall just by how it performs in its default state, says Kasey Cross, security expert at A10 Networks.

A lot of the applications and services that used to be hosted in the data center are SaaS and cloud-based these days. The packets of traffic generated by mobile devices such as smartphones and tablets that need network access have added to the volume of traffic that must be vetted at the network edge.

Security devices that are ill-equipped to handle the volume and the somewhat unpredictable nature of the traffic can end up seriously increasing latency and degrading the performance of critical applications and services. Firewalls these days have a much bigger load to handle than before, Cross notes. So it is vital to ensure that your firewalls are up to the task.

 “Consider how your policies impact performance. Make sure policies are written in such a way they don’t slow down performance,” she says.

Test the performance capabilities of your firewall when all rules are configured, not when it's in its default state.

Inspect the encrypted stuff

Make sure you can inspect all traffic including the encrypted stuff, Cross says. A lot of the traffic entering and exiting a network use Secure Sockets Layer (SSL) and Secure Shell (SSH) encryption to protect data in transit. While that’s generally a good thing, the problem is that threat actors also use encryption to hide malicious activity and to conceal communications with compromised systems. By some estimates, more than one third of all traffic that hits a corporate network is encrypted. Without a way to decrypt the traffic, your firewalls are going to be blind to any attacks that a threat actor might slip in via encrypted traffic or to any data extraction that might be going on the same way as well, she says.

While some newer firewalls are able to decrypt and inspect encrypted traffic, many do not. If your firewalls fall into the latter category, it’s a good idea to have a way to intercept the SSL traffic before it hits your firewall so it can be inspected before being re-encrypted and sent to its destination.

Several vendors sell proxy servers that do the interception at a high enough speed there is no degradation in performance. If you don’t want to, or cannot inspect all encrypted traffic that is entering or exiting your network, you instead can specify traffic the traffic you do want to look at by source or by destination.

Role-Based Access Control

Consider implementing role-based access control to regulate access to network assets and services says James Cabe, manager sales engineering for national partners at Fortinet. And use strong user authentication to enforce the policy, he says. The goal is to assign and authorize access to the network resources based on a user’s role within the organization.

Users will have varying degrees of access based on their role and the associated requirements of that role, Cabe says. It allows administrators to permit or restrict access to network resources based on whether someone is an employee, a temporary worker or a contractor.

It’s a good idea to try and adopt the principal of least privilege when provisioning access to network resources, he says. This ensures that the user has the minimum access required to perform the functions of a particular role, while restricting all other access.

Role-based access offers more granular control than a group-based model where all individuals within the same group have the same access rights. “Role-based policies travel with people,” Cabe says. “It makes sure that you have a role on the network and that is it trackable and that you have least access” for the particular role.

Block the new threats

If you are not doing full content-filtering, make sure you are protected against risky low reputation sites and recently launched ones, says Alan Toews, technical product manager at Sophos. Phishers and other threat actors often use just-registered sites to launch attacks against their targets. Often the sites are used just for the duration of a phishing campaign and then quickly abandoned. So looking for and filtering sites that have only been recently registered is a good way to mitigate the threat posed by phishing and other malware threats

If you're not doing full content inspection, block things like Web advertisements, which are a very common threat vector, Toews says. Malvertising, the practice by threat actors to use malicious ads to infiltrate computer systems, has emerged as a critical security problem on the Internet. Even so, organization may want to make their own decisions when it comes to ad blocking, he says.

“I’m not making a blanket statement that you should block Web advertisements,” he notes. “It’s your choice to block or not block, but it’s something you might want to consider,” if not blocking entirely then at least to have some policies around them, he says.

Review your rules

Make sure to audit and review your firewall rules periodically. You might have started with a relatively clean set of rules and strict policies for blocking things at the network edge. But over time rules have a way of becoming obsolete, redundant and conflicting, according to Cross. They also have a way of becoming a lot more permissive than the original rules set.

It is not unusual at all for firewall administrators to start adding rules to accommodate requests from internal users about rules that might be preventing access to resources they legitimately need. Over time, such requests can make your rules base a lot less clean than it was when you started out and before you know it you are allowing in traffic that you previously would have restricted.

Conflicting rules and misconfigurations are bad enough when you have just a handful of firewalls to manage. But they become a lot harder to catch in organizations that have numerous firewalls and administrators.

Generally, it is a good idea to review your rule sets every six months. Remove the obsolete, the unused, and expired rules, she says. When adding new rules, make sure to look at existing rules first so they don’t duplicate or conflict with something that might already be in place.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TorbjrnE029
50%
50%
TorbjrnE029,
User Rank: Apprentice
12/30/2015 | 6:53:40 PM
And IPv6
And wat about IPv6 and logins?
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...