III. Thou shalt have a firewall in place on thine Desktop/Laptop as well as thine internet connection.
Summary:
In conjunction with the first and second commandments, having a Firewall in place on your desktop or laptop improves your security posture as it adds another layer of protection in the fight against the evil doers. It is by no means a perfect solution on its own, as a poorly configured firewall would offer as much protection as a string vest in -30c/-22f weather conditions.
What is a Firewall though? A Firewall is a network security application or device that monitors the data flowing in and out of the network and controls this data traffic based on a predetermined set of security rules. The Firewall basically establishes a barrier between the internal network, which it secures and is considered “trusted”, and the external or other network, (e.g. the Internet) that is assumed to be insecure and “untrusted”.
Operating System provided firewalls on desktops and laptops are OK … ish, but are typically fairly open in order to enable the widest amount of applications to have unfettered access to the internet. They also aren’t great at notifying you if an application is trying to communicate in a different way (perhaps it has been compromised and is now being used to serve as part of a botnet).
A proper firewall on your internet connection is a much better solution. For home users, your Internet Service Provider (ISP) should have provided you with a router that has a built-in firewall. This would be similar to the Operating System firewall in being fairly open. If your ISP allows you to control it, then you might be able to lock it down to offer more protection. Bear in mind that you should also ensure that your router gets firmware updates as and when they are made available (see Commandment I (1)).
In a business/corporate environment a proper hardware firewall is an absolute must. Its final rule should be “Source All, Destination All, BLOCK!”. This is a catchall to prevent some simple oversight exposing your network. Above that catchall, the rules should enable the bare minimum of internet access for what your company needs and these should be audited on a regular (monthly or quarterly) basis to ensure they are still appropriate. Finally, as per Commandment I (1), it should have its firmware updated as and when.
That’s all there is to it. I will continue below with some details on the subject of firewalls. So if you are not interested in such particulars, just make sure you have a firewall on your desktop/laptop and internet connection.
Detail:
Personal Firewalls:
I have a separate firewall application running on my Windows machines, and it is configured to notify me and seek permission every time a new application requests access to both the internet and my local “trusted” network. Also if an application is “updated” it needs to get permission all over again. Sure, this means I get bugged for permissions on a regular basis, but it has actually stopped me from being affected by malware on a couple of occasions. So I think the small bit of aggravation is worth it. I’m not paranoid. They are all out to get me. J
This separate firewall also logs any activity that it has blocked, which is useful to know if you are getting probed or attacked.
Network Connection Firewalls:
Rather than saying Internet Connection Firewalls, I deliberately use “Network Connection Firewalls”. For a business/corporate environment, if you have more than one site connected in a Wide Area Network (WAN), each location should be firewalled from each other. This gives you protection should one site get compromised, it can be disconnected from the rest of the WAN. Even if you are a single site, then a firewall on your internet connection is still essential.
This firewall is usually a separate piece of hardware that sits between your external connection and your internal network. In some situations you may have a couple of firewalls, one sitting at the external connection protecting a webserver and a second sitting between the webserver and the internal network. The webserver in this case is said to be sitting in a DMZ (De-Militarised Zone). The outer Firewall enables internet access into the webserver and the inner Firewall protects the internal network from the internet.
As mentioned earlier, firewalls need to be configured appropriately. I came across my first firewall in 1997 and the engineer setting it up told me that the most important rule was “Source All, Destination All, BLOCK!”. This was to be the final rule in the list of rules. Then it was a case of setting rules to enable the business and applications that were used to be able to access what they needed, and nothing more. This is a case of providing least privileges. If somebody wanted more, they needed to request it and explain why they needed it.
As time goes by, applications change, people change and companies change. Therefore it is fair to say that firewalls need to change. The rules should be audited on a regular basis to ensure they reflect the current situation. If an application has been retired and it had a specific firewall rule, you need to disable or delete the rule. You don’t want a hacker “pretending” he is that application and walking back and forth through your firewall, with all of your private data and you know nothing about it, now do you?
Using Firewall logs:
It is all well and good having a firewall in place, but it also needs to be monitored to make sure it is doing its job. A good firewall should be logging events and errors and these logs should be monitored by somebody or something. That something could be a Security Information and Event Management (SIEM) application, which will alert on certain conditions (firewall is being probed repeatedly, authorisation failures, etc.). This might be beyond the reach of a very small business, but if you need to comply with some standards (e.g. PCI DSS, HIPAA, etc.), then it will probably be required to have one.
Next Generation Firewalls:
Standard firewalls are good at blocking specific IP addresses and Ports on the internet, but as time has moved on, a lot of the applications in use are now going across the firewall as normal web traffic (over ports 80, 8080 and 443), so if a piece of malware is transmitting your secrets over that channel, your standard firewall may not be able to block it.
So Next Generation Firewalls (NGFW) have come along which, along with blocking IP address and ports, can also use an application white-list that only allows specific applications to get out to the internet – e.g.- Salesforce.com – OK you may pass, NastyMalware.ru – I don’t know you, so you may not pass. NGFWs can also have an Anti-Virus type scanning ability, which is updated on a regular basis. Finally they can typically inspect encrypted traffic to ensure nothing nefarious is coming through in a scrambled fashion. Different NGFW vendors offer different capabilities, so it is worth comparing a few of them to make sure you get the protection you need.
Intrusion Detection/Prevention Systems:
Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS) are used in conjunction with Firewalls to add another layer of protection. I will discuss these in a future article.
Conclusion:
If you have any comments, suggestions or questions on the above, please leave a comment below.
Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.