By Damien Mallon, Senior Systems Engineer

I remember learning early Irish history and seeing a Crannog for the first time as a schoolboy. My teacher highlighted the defensive merits of a Crannog and I remember thinking how safe it must have been to live in one. How on earth could invaders defeat this “one way in, one way out” structure?

Of course, evolving military techniques have long since rendered the defensive capabilities of a Crannog useless. With this in mind, I would like you to consider the position of the traditional firewall in our complex modern networks. The traditional firewall model serves 2 basic purposes:

1. Stop “the bad guys” getting unauthorised access to our network from the Internet
2. Allow “the good guys” from our internal network to access resources on the Internet

Battle to protect the internal network

Just like the Crannog, this seems perfect for what we need. However, like ancient history, technology has evolved. The battle to protect our internal networks from harm is becoming ever more complex. Even with the very best firewall on the market, malware and viruses can still reach your internal network.

User behaviour is still a major source of malware infection and it will most likely continue this way, as long as we use IT systems. The most prudent approach to take when deploying a firewall is to assume that the bad guys have already compromised your network and to configure your firewall to minimise the potential impact of such an event. The steps below illustrate a particularly nasty Ransomware infection and how it behaves before encrypting files on the internal network:

A nasty Ransomware infection

1.  Unsuspecting user opens an infected email attachment.

2.  The payload from the infected attachment is executed and compromises the users’ PC.

3.  The compromised PC communicates with a Command & Control Server on the Internet.

4.  The Command & Control Server issues encryption instructions to the compromised PC followed by a demand of payment to decrypt your files.

Good guys V bad guys in IT

The traditional approach of allowing “the good guys” access the Internet from the internal network has just allowed “the bad guys” to control an infected machine on that same internal network, from a remote server. Malware that extracts credit card details from Point of Sale (POS) systems is executed in much the same way. The example above is just one of many reasons why we need to control outbound traffic. Other reasons include detecting inappropriate bandwidth usage; confidential data leakage; preventing spam email originating from the internal network; preventing unauthorised public proxy use and use of non-productive web resources.

Perimeter firewall techniques

Best practice recommends the following techniques that can be implemented on your perimeter firewall. These are aimed at breaking the bad guy’s chain of communication as detailed above and can minimise the impact of compromised machines on your network:

• Close all unnecessary outbound ports on the firewall
• Only permit a proxy server with URL filtering communicate out through the firewall on ports 80 and 443
• Only permit outbound email from legitimate email systems
• Enable the signature based IPS feature on the firewall.
• Enable logging, alerting and reporting on the firewall to highlight sources of infected machines trying to communicate out to the internet
• Split-Tunnelling for Remote Access clients should be thought about very carefully due to the security risk a misconfigured remote machine can introduce.
• Review firewall configuration at least once a year
• Enable change logging on the firewall to track configuration changes

Assume you’re already infected

Don’t assume that by simply having a firewall in place your network is protected from the outside world. Technology is evolving at a rapid pace which brings with it great opportunity for us to be more productive than ever before. However, attackers are evolving even faster in their insatiable bid to compromise systems. Allowing firewalls to pass all traffic from the internal network to the internet just won’t cut it anymore. At Datapac, we can offer trusted and tailored advice in this complex and ever-evolving security threat landscape. We can advise you which security solutions are the best fit for your organisation. Our advice right now is to assume you are infected and configure your firewall accordingly to minimise the impact of any such infection. Always remain one step ahead of the bad guys – but rest assured that you don’t have to build a Crannog for your head office!