What makes a strong firewall?
Organisations often rely on multiple layers of physical security from state-of-the-art CCTV, supplying employee access cards or employing security guards. While not as immediately visible, digital security should be treated in the same manner for maximum all-round protection. In terms of digital security, firewalls are network security systems which are often considered the first line of defence for any infrastructure.
What is a firewall?
Firewalls are available in two separate forms, software firewalls and hardware firewalls. Software firewalls are installed on an individual computer, protecting it from external threats, as well as preventing against unsafe applications running. Hardware firewalls protect every machine on a local network, acting as a protective bridge to the wider external network. Hardware firewalls filter and restrict incoming traffic against either pre-defined or user-created rules to establish whether the data packet should be discarded or not.
Impact of not having a firewall
The potential impact of working without a firewall can be extremely damaging to an organisation, even if machines only connect to a local network. Without a firewall, data packets can enter and exit the network freely, without any kind of monitoring or checking. This means that any kind of traffic, malicious data and malware can enter and spread across the entire network of computers.
Basic firewalls which come pre-installed in software which only monitor incoming traffic by default. A good firewall should monitor traffic in both directions, keeping organisational data secure and preventing unauthorised access to the network. Restricting potentially hostile traffic and connections to the internet is the main function of host-based corporate firewalls. More advanced firewalls additionally keep an updated list of known vulnerable or malicious software, blocking access before a connection is made.
An intrusion protection system (IPS) is another valuable addition to network security. This system performs additional, highly detailed inspections of network traffic, preventing malicious activity reaching its target.
Once a network has been identified as vulnerable, it is likely to be overwhelmed by multiple attacks which can cause havoc not only for the network but also for business operations. The knock on effects from a cyber security attack include:
- Financial loss and fines
- Theft of data (customer, company, financial, IP)
- Reputational damage
- Operational disruption
- Below the surface costs (increased insurance premiums)
A firewall is excellent in protecting the network from malicious traffic and unauthorised access, however it cannot detect malware already on a system. As a result, it should be supported with anti-malware software as part of proactive protection against attacks.
Additional advanced solutions include sandboxing, which creates a safe, isolated environment which to execute suspicious programmes. As the sandbox imitates a existing system, it enables an administrator to see how the programme interacts with the system and if it had malicious intent.
Firewall Best Practices
While every organisation and their network are different, there are all some key firewall best practices that should be employed in majority of circumstances:
- Ensure the firewall installed and turned on, preferably with an additional IPS and sandboxing solution.
- When first establishing a firewall, operate a ‘deny-all’ rule and then add exceptions as required, avoiding ‘any’ and ‘allow’ rules.
- Reduce the potential attack surface by regularly reviewing and revisiting any ports which are open and ensuring that any unused open ports are closed.
- Protect and secure open ports with a suitable IPS, monitoring any potential malicious activity.
- Create a change management and approval process for any proposed firewall changes with additional alert to administrators for any firewall changes.
- Utilise a virtual private network (VPN) when accessing internal network using an external internet connection.
- Employ sandboxing in situations where applications are commonly being installed from a variety of suppliers. Sandboxing can also be used to monitor any suspicious web downloads or email attachments, verifying their intention before they reach the network.
- Once detected, automatically isolate infected systems to prevent its spread across the network
Poor Firewall Password Management
40% of IT security professionals said they don’t employ the basic best practice of changing a default admin password. (Source)
Majority of firewall installations are shipped using a default username and password, which can be as generic as ‘Username: admin’ and ‘Password: admin’. Changing the password to a strong alternative is recommended as soon as possible will help prevent unauthorised persons or software from accessing the router and changing or viewing settings.
Administration interfaces are by default, only accessible from the local internal network. Additional security measures include restricting access to a defined list of users and specific IP addresses, further preventing unauthorised access to the routers admin interface.
According to Forrester (reported on TechRepublic), 80% of all breaches involve poor password management of privileged credentials. Secure systems with a password policy by following our best practices below.
Password Management Best Practices
- Change default passwords and limit full admin access to a defined list of approved individuals
- Use strong passwords, even on web applications which protected by a firewall
- Ensure that all passwords are changed regularly, every 90 days as a minimum
- Always change passwords after a suspected breach or once a suspected vulnerability is uncovered in an installed application
- Enact two-factor authentication where possible
- Apply password policy rules to your organisation which include minimum complexity requirements. E.g.
- Passwords must:
- Have at least eight characters.
- Contain a combination of different character types such as upper and lowercase letters, numbers and special characters.
- Not use easily guessed words, such as the user’s name or company name
- Passwords must:
Managing and Documenting Allowed Port and Services
Installed firewalls can only be effective if they are correctly configured and regularly updated. All open connections in a firewall should be authorised and documented to help prevent unauthorised activity. Outdated and unnecessary open ports is one of the most overlooked areas of infrastructure security and yet it is the first line of defence against unauthorised or damaging activity on a network.
Firewalls work by inspecting and filtering out incoming data and traffic based upon a given set of rules. If the rules are too restrictive, too lax or outdated, the strength and accuracy of the firewall will be compromised. Additionally, if the documentation behind the firewall changes are not kept up to date, potentially vulnerable open ports could provide an easy-in for an enterprising cybercriminal.
The strength and accuracy of a firewall is only as strong as the rules it is governed by
The opening of ports and allowing of software installations can represent a significant risk to your internal network if the process is not managed and documented correctly. We recommend conducting a regular review of any existing open ports within a firewall, particularly when considering the opening of additional ports.
A port should only be opened if there is a specific business need for the software or application being installed. As business requirements change and are updated, so should the need for the open port. Abiding by your security policy, only an approved administrator should be able to configure exceptions to the firewall, providing thorough documentation to allow for continuous monitoring and review process.
Default Blocking of Vulnerable Services
There are multiple services and third-party applications available to both consumers and organisations which aim to increase access, support ease of use or perform a desired functionality. However, due to their increasing complexity, design and implementation flaws are more likely to occur, leaving organisations with vulnerabilities on their network. Software which has been identified as fundamentally flawed and vulnerable to attack should be blocked by default, preventing their exploit on the network.
There are thousands of software vulnerabilities discovered and reported every year, with varying degrees of severity. Older versions of well-known software such as Windows, if not updated with the regularly released patches, can open an organisation up to a cyber-attack.
- WannaCry ransomware attack – Known as one of the most devastating ransomware attacks in history, this exploit affected banks, hospitals and other infrastructures who had failed to update their Microsoft Windows software. While patches had been released by Microsoft, many organisations, like the NHS had not updated their systems, leaving their network open to attack. This essentially unsophisticated exploit highlighted the importance of patch management and updating firewalls to default deny access to software with known vulnerability flaws.
- NotPetya ransomware attack – Infecting hundreds of thousands of computers globally, this attack utilised the same software vulnerability as WannaCry.
- Locky – This evolving and aggressive ransomware and malware attack has multiple different strains including Diablo and Lukitus. All versions use a phishing email attack to initiate the exploit.
- Meltdown – This hardware vulnerability affects Intel processors. This firmware-level flaw can enable hackers to gain super-admin access to run malicious code remotely including spyware or rootkits. The potential impact extends beyond desktops/laptops into cloud and virtual environment used in data centres. While there is no evidence that these vulnerabilities have been exploited, the sheer volume of computer chips affected and the critical nature of the flaw, has led to researchers calling this flaw catastrophic. Patches have been released for majority of applications and programmes, however they have been reported to slow down computing systems as a result.
- Spectre -Similar to Meltdown, Spectre affects multiple different processors from Intel, AMD and ARM. Spectre exploits the vulnerability of the processor to allow unauthorised access to sensitive information, such as passwords and login keys, which is stored in the memory or cached files of running programmes.
Auditing Firewall Access
Firewalls have long been considered a cost-effective way to protect vulnerable PCs, servers and infrastructure from external attacks. Unfortunately, the strength and accuracy of a firewall is only as strong as the rules it is governed by. Organisations can become overwhelmed with open ports which were needed at one point in time, but now have no business need.
Unused rules within a firewall can significantly degrade performance as well as introduce risk into the environment. By allowing protocols or networks access into your enterprise that are not needed, you are introducing additional attack vectors into your infrastructure.
Firewall Default Deny
A firewall is a security device and is designed to protect digital assets. The default position when configuring the firewall should therefore be to deny traffic. Don’t think of the firewall as the device that permits all traffic through, except for the things organisations want to block. Instead, think of a firewall as the device that blocks all traffic, except for those selected for entry. Lots of attacks target unused and strange ports on a firewall. If those ports are shut down by default, the attack surface is dramatically reduced.
If a computer does not require internet access to perform its duties, then by default, it should not have internet access.
The trust level determines the default level of access that devices on the network have to a computer. Any device on a network that is not explicitly Trusted or Restricted uses the trust level of the network. The initial network trust level is set based on the configuration of the computer.
Unsure whether your firewall is up to scratch?
Take a look at the questions below and see how well your organisation scores.
- Have one or more firewalls (or similar network device) been installed on the boundary of the organisation’s internal network(s)?
- Has the default administrative password of the firewall (or equivalent network device) been changed to an alternative difficult to guess password?
- Has each open connection (i.e. allowed ports and services) on the firewall been subject to approval by an authorised business representative and documented (including an explanation of business need)?
- Have vulnerable services (e.g. Server Message Block (SMB), NetBIOS, Telnet, TFTP, RPC, rlogin, rsh or rexec) been disabled (blocked) by default and those that are allowed have a business justification?
- Have firewall rules that are no longer required been removed or disabled?
- Are firewall rules subject to regular review?
- Have computers that do not need to connect to the Internet been prevented from initiating connections to the Internet (Default deny)?
- Has the administrative interface used to manage the boundary firewall been configured such that it is not accessible from the Internet?
If you answered ‘no’ to any of the below questions, you may require a security assessment to establish baseline security levels. Contact our team for more information.