Firewalls have been protecting networks for decades, and many of us can’t remember life before them. But they aren’t your only friends, and these days just having a firewall isn’t enough to keep the bad guys from penetrating your network. While they are a good first step, you need to start thinking beyond firewalls to keep your infrastructure secure.
What is really required is to move away from the notion of “we need to build a wall” to “we need to understand what is going on across our network.” It is a very different mindset, and requires an IT department to think differently about how to implement their network security and operations.
The first step is in understanding what is going on across your application layers. To do this properly, you need to discover what applications are running across your enterprise. Some of the more modern firewalls are attempting to collect this information; they often rely on the IT department to understand their app portfolios up front to be effective. For example, they offer very granular app-level control, such as the ability to block a Facebook wall post but allow users to read their Facebook accounts. Many products (such as Palo Alto Networks) have extensive applications databases that they can draw on to model particular behaviors so that network administrators can craft very fine-grained access policies.
But most firewalls are too steeped in the ports and protocols approach to be truly effective, and many require that IT operations keep up with network documentation and have a deep knowledge about the interaction of their firewall rule sets. Tools like Veracode that specialize in the app-layer defense don’t assume this knowledge, and also make it easier to set up app-specific security policies.
Once you have this understanding, you can better design your app-layer network protection. Firewalls were designed to handle network-events, such as finding and blocking botnets and remote access exploits. Why can’t firewalls handle app-level situations? Well, some can, but only with some significant effort at configuring and monitoring them. Specialized app-layer tools are better at finding vulnerabilities and inspecting traffic that is moving across the application layers. You especially want app-layer protection if you have web-based or cloud-based applications.
Next, you need to think differently about your endpoint protection too.
We all know that the days of simple endpoint protection are over. Scanning and screening for malware has become a very complex process, and most traditional anti-malware tools only find a small fraction of the potential infections that are available to today’s cyber-criminals and attackers. Today there are numerous specialized endpoint detection and response (EDR) products that can dive deeper and understand the progress of any infection that happens. The best products are both hunting down particular exploits as well as gathering information about what is happening and tie into existing security news feeds as well. Many offer real-time analysis and other insights.
When you start looking at your endpoints holistically in this fashion, you will find there are plenty of endpoints that aren’t traditional end-user devices. Most modern networks have plenty of embedded devices that are connected to their networks, such as network-based printers and cameras, environmental monitoring devices, and specialized industrial equipment. Remember the Target HVAC exploit? That was just the tip of numerous such attacks.
Even if these systems aren’t connected to the network directly, they do have the means to be infected by a network-based computer, as the Iranian nuclear plant at Natanz found out years ago with the Stuxnet virus. Again, this is an area where traditional firewalls fall down: a potential threat from a print server could be buried in a firewall log. There are better ways to avoid this issue, such as by changing the default management ports and authentication credentials, keeping up with firmware updates, putting all embedded devices on their own VLAN and clearing their buffers and histories often.
Part of the tools for these EDR products includes being able to block insider threats. These threats are becoming more common, and one of the reasons why traditional firewall and anti-virus protection has failed is because attackers can gain access to your internal network and do damage from a formerly trusted endpoint. Many firewall administrators are used to blocking incoming traffic and have focused their attention in the past to this arena. But traffic that originates from an insider who has been compromised is a problem too. To block this kind of behavior, today’s tools need to map the internal or lateral network movements so you can track down what PCs were compromised and neutralize them before your entire network falls into the wrong hands.
As you can see, building up walls are a good first approach but not the only mechanism for defining your network, your applications, and your endpoints. You need a combination of several protective devices that can work together to secure your enterprise and gain visibility into all of your vulnerable places.
This month the updated Windows 10 Anniversary Edition is now available for download. (Here is a 
In this, the first of a two part series, I talk about why you want a BYOD program at your company.
The idea isn’t new: the sci-fi series “Ender’s Game” by Orson Scott Card and the movie “The Last Starfighter” both have had a similar plot line — and both are from decades ago. In the real world, the modification of the game Doom by the US Marines has been out for decades as well. When it was first developed in the early 1990s, it cost about $25,000 and took about six months to develop. It proved to be so popular with the soldiers that they would queue up in the evenings to get a chance to play. Since then, the US Army released its own game, called America’s Army, that was designed as a recruitment and public relations tool but migrated into helping new enlistees learn about the state of weaponry and tactics that they would be learning in basic training exercises.
Speaking of Safe Harbor, and by that I mean the EU’s prior privacy regulations that were struck down some time ago, there is now a replacement called Privacy Shield. I link to the new regulations, along with some insightful commentary at Ars Technica (for the non-lawyers) and at SociallyAwareBlog (for those that want more or who are lawyers themselves).
As more of our users start literally wearing their own gear to work, the number of threats from these devices, such as Fitbits and Apple Watches, increases. After all, they are just another remote wireless computer that can be compromised to gain access to your enterprise network. I talk about the potential threats and ways to mitigate them, along with other factors. You can