Ok, let’s face it. The Internet is game to all sorts of intruders. I told my wife I found a Trojan Horse on her laptop and her response was, “What’s that?”
Clearly, protecting your data from being compromised can be a daunting task. What firewall should you incorporate? Are software or hardware firewalls better? What exactly is packet filtering and why is it important? And how do I analyze my firewall logs? Is this something better left to professionals?
Your primary consideration is the worth of your data. If you lost it or it was compromised this minute, could you survive as a business entity?
Let’s say you’ve done due diligence and installed a high end firewall appliance. Is anyone on your staff certified to analyze that firewall’s logs? If not, do you outsource those logs? Are you provided analysis and recommendations? Are security risks shored up? Are you compliant?
I’m constantly reading threads in forums of compromised data, and OPs pleading for assistance after-the-fact. I was at a physician’s office a while back checking the security of her Wifi network, and while she was protected, at least a dozen other unprotected networks popped up. She had no clue she could compromise their networks as that was never her intention, but certainly it is the intention of (apparently) thousands of unscrupulous hacks on the Internet.
Fortunately, there are firms that you can turn to that make it their business to protect your business.
For any organization that conducts business over the Internet, it’s a vital first-line of defense that:
CLI versus GUI interfaces
What are some types of command line interfaces (CLI) for managing firewalls? PIX and Linux IPTables are popular examples. GUI based interfaces are more intuitive to the end user, so are presumably easier to use. They’re both designed to keep the malicious stuff out, while providing an enhanced more secure online experience.
Custom operating versus open source systems
Systems like the Cisco PIX run on a custom operating system where the source code is not available, and is updated via patches or new releases. Then there are open source systems which include Linux, OperBSD and Solaris 10. Open source systems typically require more effort to maintain and secure your data, but patches to shore up vulnerabilities may get released faster. Closed source systems, properly configured and maintained by the user, eliminate many of the variables inherent in general operating systems, making it easier for the less experienced user to maintain.
Are you up to managing your own firewall with a CLI? (Command Line Interface)
Most firewalls require you to perform an initial configuration - things like your IP address, net mask, default gateway and possibly an administrative password, first in CLI even when using a GUI. CLIs require knowledge of the command set in your firewall appliance. For example, to config Linux’s NetFilter, you’ve have to use the IPTables CLI to set up configurations for Secure Shell (SSH), email and web traffic. What ports do you allow and which do you deny?
GUIs
There are GUIs for Linux’s IPTables firewall software. Some are web based (such as Webmin), and some are applications running on the Linux system itself (such as Firestarter). Firestarter provides a simple, easy-to-use interface for IPTables. Webmin provides a method by which the firewall can be managed through a web browser interface.
One significant benefit of a CLI over a GUI is that the CLI is available through Telnet and SSH sessions as well as connected directly to the serial port. This becomes important when considering how access to the firewall management interface will be controlled.
Management Access
Network devices such as firewalls, switches, routers and intrusion detection sensors should only be accessed by trusted users who need to administer them. Unauthorized users, whether someone with malicious intent or not, may change the configuration or disable the device and thus compromise the security of your entire network and data.
Additional considerations must be made regarding how the firewall is accessed: Telnet, SSH, SNMP, FTP, TFTP, HTTP/HTTPS, or some proprietary management protocol.
HTTP versus HTTPS
HTTP is an unencrypted protocol that allows hackers to view communication between the client and the server. Although intruders may not necessarily be able to capture the password to your web server, they may be able to capture other information such as configuration information or possibly a valid cookie that would then allow the attacker to impersonate a legitimate user and gain access to the firewall’s administrative interface.
HTTPS uses Secure Sockets Layer (SSL) encryption technology to encrypt communication between the client and the firewall web server. This makes it impossible for an attacker to eavesdrop on a management session or intercept any information that could be used to gain access to your firewall.
Analyzing Logs
Logging is also essential for maintaining and administering a firewall. Logging enables an administrator to see all traffic blocked by the firewall as well as troubleshoot the firewall configuration when a particular function, such as Network Address Translation (NAT), is not working as expected.
No matter how the firewall logs information, it is critical that the logged information be reviewed by an administrator or outsourced professional. You cannot set up a firewall appliance and walk away from it thinking your data will remain secure forever.
Vulnerabilities
A vulnerability is a defect that might result in the potential exploitation of the firewall by an attacker to cause either a denial-of-service (DoS) attack or to gain access to your firewall. Vulnerabilities are routinely caused by a misconfiguration of the firewall itself.
A vulnerability due to a misconfiguration of the firewall can range from allowing access to Remote Procedure Call (RPC) ports on systems behind the firewall to not setting an access password on the device itself.
Due Diligence
Special care must be taken when managing a firewall because it protects your data from the world. In many cases, it represents the only security device on your network.
Disaster Recovery and Business Continuity
I cannot overemphasize the importance of remote backup even with a properly configured and maintained firewall.
Having said that, firewalls are an essential element in the defense and retention of your data. Your data is your business. If you are even remotely at loss how to configure, maintain and analyze your firewall logs, I wholly recommend outsourcing this service.
Clearly, protecting your data from being compromised can be a daunting task. What firewall should you incorporate? Are software or hardware firewalls better? What exactly is packet filtering and why is it important? And how do I analyze my firewall logs? Is this something better left to professionals?
Your primary consideration is the worth of your data. If you lost it or it was compromised this minute, could you survive as a business entity?
Let’s say you’ve done due diligence and installed a high end firewall appliance. Is anyone on your staff certified to analyze that firewall’s logs? If not, do you outsource those logs? Are you provided analysis and recommendations? Are security risks shored up? Are you compliant?
I’m constantly reading threads in forums of compromised data, and OPs pleading for assistance after-the-fact. I was at a physician’s office a while back checking the security of her Wifi network, and while she was protected, at least a dozen other unprotected networks popped up. She had no clue she could compromise their networks as that was never her intention, but certainly it is the intention of (apparently) thousands of unscrupulous hacks on the Internet.
Fortunately, there are firms that you can turn to that make it their business to protect your business.
For any organization that conducts business over the Internet, it’s a vital first-line of defense that:
protects your information and systems from compromise
helps ensure secure, ongoing communications between your Web site and customers
reduces the costs and disruption of intrusion-initiated downtime
extends your in-house capabilities
helps ensure secure, ongoing communications between your Web site and customers
reduces the costs and disruption of intrusion-initiated downtime
extends your in-house capabilities
CLI versus GUI interfaces
What are some types of command line interfaces (CLI) for managing firewalls? PIX and Linux IPTables are popular examples. GUI based interfaces are more intuitive to the end user, so are presumably easier to use. They’re both designed to keep the malicious stuff out, while providing an enhanced more secure online experience.
Custom operating versus open source systems
Systems like the Cisco PIX run on a custom operating system where the source code is not available, and is updated via patches or new releases. Then there are open source systems which include Linux, OperBSD and Solaris 10. Open source systems typically require more effort to maintain and secure your data, but patches to shore up vulnerabilities may get released faster. Closed source systems, properly configured and maintained by the user, eliminate many of the variables inherent in general operating systems, making it easier for the less experienced user to maintain.
Are you up to managing your own firewall with a CLI? (Command Line Interface)
Most firewalls require you to perform an initial configuration - things like your IP address, net mask, default gateway and possibly an administrative password, first in CLI even when using a GUI. CLIs require knowledge of the command set in your firewall appliance. For example, to config Linux’s NetFilter, you’ve have to use the IPTables CLI to set up configurations for Secure Shell (SSH), email and web traffic. What ports do you allow and which do you deny?
GUIs
There are GUIs for Linux’s IPTables firewall software. Some are web based (such as Webmin), and some are applications running on the Linux system itself (such as Firestarter). Firestarter provides a simple, easy-to-use interface for IPTables. Webmin provides a method by which the firewall can be managed through a web browser interface.
One significant benefit of a CLI over a GUI is that the CLI is available through Telnet and SSH sessions as well as connected directly to the serial port. This becomes important when considering how access to the firewall management interface will be controlled.
Management Access
Network devices such as firewalls, switches, routers and intrusion detection sensors should only be accessed by trusted users who need to administer them. Unauthorized users, whether someone with malicious intent or not, may change the configuration or disable the device and thus compromise the security of your entire network and data.
Additional considerations must be made regarding how the firewall is accessed: Telnet, SSH, SNMP, FTP, TFTP, HTTP/HTTPS, or some proprietary management protocol.
HTTP versus HTTPS
HTTP is an unencrypted protocol that allows hackers to view communication between the client and the server. Although intruders may not necessarily be able to capture the password to your web server, they may be able to capture other information such as configuration information or possibly a valid cookie that would then allow the attacker to impersonate a legitimate user and gain access to the firewall’s administrative interface.
HTTPS uses Secure Sockets Layer (SSL) encryption technology to encrypt communication between the client and the firewall web server. This makes it impossible for an attacker to eavesdrop on a management session or intercept any information that could be used to gain access to your firewall.
Analyzing Logs
Logging is also essential for maintaining and administering a firewall. Logging enables an administrator to see all traffic blocked by the firewall as well as troubleshoot the firewall configuration when a particular function, such as Network Address Translation (NAT), is not working as expected.
No matter how the firewall logs information, it is critical that the logged information be reviewed by an administrator or outsourced professional. You cannot set up a firewall appliance and walk away from it thinking your data will remain secure forever.
Vulnerabilities
A vulnerability is a defect that might result in the potential exploitation of the firewall by an attacker to cause either a denial-of-service (DoS) attack or to gain access to your firewall. Vulnerabilities are routinely caused by a misconfiguration of the firewall itself.
A vulnerability due to a misconfiguration of the firewall can range from allowing access to Remote Procedure Call (RPC) ports on systems behind the firewall to not setting an access password on the device itself.
Due Diligence
Special care must be taken when managing a firewall because it protects your data from the world. In many cases, it represents the only security device on your network.
Disaster Recovery and Business Continuity
I cannot overemphasize the importance of remote backup even with a properly configured and maintained firewall.
Having said that, firewalls are an essential element in the defense and retention of your data. Your data is your business. If you are even remotely at loss how to configure, maintain and analyze your firewall logs, I wholly recommend outsourcing this service.
