Veracode blog: Why firewalls aren’t your only friend

Firewalls have been protecting networks for decades, and many of us can’t remember life before them. But they aren’t your only friends, and these days just having a firewall isn’t enough to keep the bad guys from penetrating your network. While they are a good first step, you need to start thinking beyond firewalls to keep your infrastructure secure.

What is really required is to move away from the notion of “we need to build a wall” to “we need to understand what is going on across our network.” It is a very different mindset, and requires an IT department to think differently about how to implement their network security and operations.

The first step is in understanding what is going on across your application layers. To do this properly, you need to discover what applications are running across your enterprise. Some of the more modern firewalls are attempting to collect this information; they often rely on the IT department to understand their app portfolios up front to be effective. For example, they offer very granular app-level control, such as the ability to block a Facebook wall post but allow users to read their Facebook accounts. Many products (such as Palo Alto Networks) have extensive applications databases that they can draw on to model particular behaviors so that network administrators can craft very fine-grained access policies.

But most firewalls are too steeped in the ports and protocols approach to be truly effective, and many require that IT operations keep up with network documentation and have a deep knowledge about the interaction of their firewall rule sets. Tools like Veracode that specialize in the app-layer defense don’t assume this knowledge, and also make it easier to set up app-specific security policies.

Once you have this understanding, you can better design your app-layer network protection. Firewalls were designed to handle network-events, such as finding and blocking botnets and remote access exploits. Why can’t firewalls handle app-level situations? Well, some can, but only with some significant effort at configuring and monitoring them. Specialized app-layer tools are better at finding vulnerabilities and inspecting traffic that is moving across the application layers. You especially want app-layer protection if you have web-based or cloud-based applications.

Next, you need to think differently about your endpoint protection too.

We all know that the days of simple endpoint protection are over. Scanning and screening for malware has become a very complex process, and most traditional anti-malware tools only find a small fraction of the potential infections that are available to today’s cyber-criminals and attackers. Today there are numerous specialized endpoint detection and response (EDR) products that can dive deeper and understand the progress of any infection that happens. The best products are both hunting down particular exploits as well as gathering information about what is happening and tie into existing security news feeds as well. Many offer real-time analysis and other insights.

When you start looking at your endpoints holistically in this fashion, you will find there are plenty of endpoints that aren’t traditional end-user devices. Most modern networks have plenty of embedded devices that are connected to their networks, such as network-based printers and cameras, environmental monitoring devices, and specialized industrial equipment. Remember the Target HVAC exploit? That was just the tip of numerous such attacks.

Even if these systems aren’t connected to the network directly, they do have the means to be infected by a network-based computer, as the Iranian nuclear plant at Natanz found out years ago with the Stuxnet virus. Again, this is an area where traditional firewalls fall down: a potential threat from a print server could be buried in a firewall log. There are better ways to avoid this issue, such as by changing the default management ports and authentication credentials, keeping up with firmware updates, putting all embedded devices on their own VLAN and clearing their buffers and histories often.

Part of the tools for these EDR products includes being able to block insider threats. These threats are becoming more common, and one of the reasons why traditional firewall and anti-virus protection has failed is because attackers can gain access to your internal network and do damage from a formerly trusted endpoint. Many firewall administrators are used to blocking incoming traffic and have focused their attention in the past to this arena. But traffic that originates from an insider who has been compromised is a problem too. To block this kind of behavior, today’s tools need to map the internal or lateral network movements so you can track down what PCs were compromised and neutralize them before your entire network falls into the wrong hands.

As you can see, building up walls are a good first approach but not the only mechanism for defining your network, your applications, and your endpoints. You need a combination of several protective devices that can work together to secure your enterprise and gain visibility into all of your vulnerable places.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.