I remember learning early Irish history and seeing a Crannog for the first time as a schoolboy. My teacher highlighted the defensive merits of a Crannog and I remember thinking how safe it must have been to live in one. How on earth could invaders defeat this “one way in, one way out” structure?
Of course, evolving military techniques have long since rendered the defensive capabilities of a Crannog useless. With this in mind, I would like you to consider the position of the traditional firewall in our complex modern networks. The traditional firewall model serves 2 basic purposes:
- Stop “the bad guys” getting unauthorised access to our network from the Internet
- Allow “the good guys” from our internal network to access resources on the Internet
Battle to protect the internal network
Just like the Crannog, this seems perfect for what we need. However, like ancient history, technology has evolved. The battle to protect our internal networks from harm is becoming ever more complex. Even with the very best firewall on the market, malware and viruses can still reach your internal network.
User behaviour is still a major source of malware infection and it will most likely continue this way, as long as we use IT systems. The most prudent approach to take when deploying a firewall is to assume that the bad guys have already compromised your network and to configure your firewall to minimise the potential impact of such an event. The steps below illustrate a particularly nasty Ransomware infection and how it behaves before encrypting files on the internal network:
A nasty Ransomware infection
3. The compromised PC communicates with a Command & Control Server on the Internet.
Good guys V bad guys in IT
The traditional approach of allowing “the good guys” access the Internet from the internal network has just allowed “the bad guys” to control an infected machine on that same internal network, from a remote server. Malware that extracts credit card details from Point of Sale (POS) systems is executed in much the same way. The example above is just one of many reasons why we need to control outbound traffic. Other reasons include detecting inappropriate bandwidth usage; confidential data leakage; preventing spam email originating from the internal network; preventing unauthorised public proxy use and use of non-productive web resources.
Perimeter firewall techniques
Best practice recommends the following techniques that can be implemented on your perimeter firewall. These are aimed at breaking the bad guy’s chain of communication as detailed above and can minimise the impact of compromised machines on your network:
- Close all unnecessary outbound ports on the firewall
- Only permit a proxy server with URL filtering communicate out through the firewall on ports 80 and 443
- Only permit outbound email from legitimate email systems
- Enable the signature based IPS feature on the firewall.
- Enable logging, alerting and reporting on the firewall to highlight sources of infected machines trying to communicate out to the internet
- Split-Tunnelling for Remote Access clients should be thought about very carefully due to the security risk a misconfigured remote machine can introduce.
- Review firewall configuration at least once a year
- Enable change logging on the firewall to track configuration changes
Assume you’re already infected
Don’t assume that by simply having a firewall in place your network is protected from the outside world. Technology is evolving at a rapid pace which brings with it great opportunity for us to be more productive than ever before. However, attackers are evolving even faster in their insatiable bid to compromise systems. Allowing firewalls to pass all traffic from the internal network to the internet just won’t cut it anymore. At Datapac, we can offer trusted and tailored advice in this complex and ever-evolving security threat landscape. We can advise you which security solutions are the best fit for your organisation. Our advice right now is to assume you are infected and configure your firewall accordingly to minimise the impact of any such infection. Always remain one step ahead of the bad guys – but rest assured that you don’t have to build a Crannog for your head office!
"At Barretstown, we rebuild the lives of children, and their families, affected by childhood cancer and other serious illnesses. We serve 5,000 campers a year and have 1200 volunteers each year. Communication is crucially important and Datapac has helped us to streamline, improve and ensure efficiency."
"Datapac has provided us with a fantastic product and world-class levels of service and support. Whenever people ask me about our experience with Datapac I’m always ready to sing their praises and I would happily recommend their services to any organisation."
"For many years Datapac has been our sole supplier for the maintenance of Personal Computers and Peripherals in Ireland. Through their Service Centres in Wexford and Dublin, Datapac provides excellent support to our businesses throughout the country and consistently meets the SLA targets which we have set. The skill, expertise and experience of their engineers and other technical support personnel are of the highest standard."
“The value of dealing with an HP Gold partner in this process can’t be underestimated. Datapac provide us with a local touch and can cover the full range of our IT requirements, but when there is a specific technical requirement like this, they can bring the specialist technical resources of HP to the table. HP and Datapac had a thorough discussion with us around our requirement - and had really done their homework - and then were able to provide us with a very highly specified test platform for us to prove the application on before we committed to purchase.”
Datapac understands our needs and requirements and has the expertise and experience to follow through on all our requests. Our constant need to reduce costs has been assisted by Datapac's ability to suggest alternative solutions and methods whilst improving both efficiency and productivity. Our partnership with Datapac is akin to having an IT department on site that we simply could not provide ourselves.