Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:30 PM
Connect Directly

5 Tips For Getting The Most Out Of Your Firewall

Despite concerns over the effectiveness of perimeter technologies, firewalls remain a staple in the enterprise security arsenal.

Firewalls have been an integral part of the enterprise security portfolio almost from the time organizations first began putting up controls to protect network resources. Despite growing questions about how effective they really are in blocking advanced persistent threats and other emerging attack methods, many organizations still consider firewall technologies to be the most effective first line of defense against intruders.

Increasingly though, the effort is to make the firewall part of a broader multi-layered perimeter defense that includes technologies like sandboxing, security information and event management tools, and log event coordination systems.

Here are some key ways to get the most out of your firewall technologies amid today's rapidly change threat environment:

Performance-test your firewalls

Don’t judge your firewall just by how it performs in its default state, says Kasey Cross, security expert at A10 Networks.

A lot of the applications and services that used to be hosted in the data center are SaaS and cloud-based these days. The packets of traffic generated by mobile devices such as smartphones and tablets that need network access have added to the volume of traffic that must be vetted at the network edge.

Security devices that are ill-equipped to handle the volume and the somewhat unpredictable nature of the traffic can end up seriously increasing latency and degrading the performance of critical applications and services. Firewalls these days have a much bigger load to handle than before, Cross notes. So it is vital to ensure that your firewalls are up to the task.

 “Consider how your policies impact performance. Make sure policies are written in such a way they don’t slow down performance,” she says.

Test the performance capabilities of your firewall when all rules are configured, not when it's in its default state.

Inspect the encrypted stuff

Make sure you can inspect all traffic including the encrypted stuff, Cross says. A lot of the traffic entering and exiting a network use Secure Sockets Layer (SSL) and Secure Shell (SSH) encryption to protect data in transit. While that’s generally a good thing, the problem is that threat actors also use encryption to hide malicious activity and to conceal communications with compromised systems. By some estimates, more than one third of all traffic that hits a corporate network is encrypted. Without a way to decrypt the traffic, your firewalls are going to be blind to any attacks that a threat actor might slip in via encrypted traffic or to any data extraction that might be going on the same way as well, she says.

While some newer firewalls are able to decrypt and inspect encrypted traffic, many do not. If your firewalls fall into the latter category, it’s a good idea to have a way to intercept the SSL traffic before it hits your firewall so it can be inspected before being re-encrypted and sent to its destination.

Several vendors sell proxy servers that do the interception at a high enough speed there is no degradation in performance. If you don’t want to, or cannot inspect all encrypted traffic that is entering or exiting your network, you instead can specify traffic the traffic you do want to look at by source or by destination.

Role-Based Access Control

Consider implementing role-based access control to regulate access to network assets and services says James Cabe, manager sales engineering for national partners at Fortinet. And use strong user authentication to enforce the policy, he says. The goal is to assign and authorize access to the network resources based on a user’s role within the organization.

Users will have varying degrees of access based on their role and the associated requirements of that role, Cabe says. It allows administrators to permit or restrict access to network resources based on whether someone is an employee, a temporary worker or a contractor.

It’s a good idea to try and adopt the principal of least privilege when provisioning access to network resources, he says. This ensures that the user has the minimum access required to perform the functions of a particular role, while restricting all other access.

Role-based access offers more granular control than a group-based model where all individuals within the same group have the same access rights. “Role-based policies travel with people,” Cabe says. “It makes sure that you have a role on the network and that is it trackable and that you have least access” for the particular role.

Block the new threats

If you are not doing full content-filtering, make sure you are protected against risky low reputation sites and recently launched ones, says Alan Toews, technical product manager at Sophos. Phishers and other threat actors often use just-registered sites to launch attacks against their targets. Often the sites are used just for the duration of a phishing campaign and then quickly abandoned. So looking for and filtering sites that have only been recently registered is a good way to mitigate the threat posed by phishing and other malware threats

If you're not doing full content inspection, block things like Web advertisements, which are a very common threat vector, Toews says. Malvertising, the practice by threat actors to use malicious ads to infiltrate computer systems, has emerged as a critical security problem on the Internet. Even so, organization may want to make their own decisions when it comes to ad blocking, he says.

“I’m not making a blanket statement that you should block Web advertisements,” he notes. “It’s your choice to block or not block, but it’s something you might want to consider,” if not blocking entirely then at least to have some policies around them, he says.

Review your rules

Make sure to audit and review your firewall rules periodically. You might have started with a relatively clean set of rules and strict policies for blocking things at the network edge. But over time rules have a way of becoming obsolete, redundant and conflicting, according to Cross. They also have a way of becoming a lot more permissive than the original rules set.

It is not unusual at all for firewall administrators to start adding rules to accommodate requests from internal users about rules that might be preventing access to resources they legitimately need. Over time, such requests can make your rules base a lot less clean than it was when you started out and before you know it you are allowing in traffic that you previously would have restricted.

Conflicting rules and misconfigurations are bad enough when you have just a handful of firewalls to manage. But they become a lot harder to catch in organizations that have numerous firewalls and administrators.

Generally, it is a good idea to review your rule sets every six months. Remove the obsolete, the unused, and expired rules, she says. When adding new rules, make sure to look at existing rules first so they don’t duplicate or conflict with something that might already be in place.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/30/2015 | 6:53:40 PM
And IPv6
And wat about IPv6 and logins?
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle a...
PUBLISHED: 2021-05-17
Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary we...
PUBLISHED: 2021-05-17
Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPor...
PUBLISHED: 2021-05-17
Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortl...
PUBLISHED: 2021-05-17
Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.