This is a guest story from Igor Voschyk - an experienced security expert, who conducted penetration testing & red teaming for variety of industries - financial institutions, oil&gas, mobile network operators and automotive.
Intro
Day by day high-profile orgs are facing increased cybersecurity risks. Through the last decade, advanced persistent threats became the new normal for a lot of business verticals.
But what we can do if your first line of defense - a firewall fails? For instance a zero-day was discovered.
Let's assume we are in charge of securing an arms export firm. This is an interesting example for our case: while this is a high-risk business where highly critical data is processed and stored, its IT infrastructure might be simple.
1. Building a strong infrastructure foundation
The first question to ask here is how can we build an environment that won't let an attacker easily inflict any harm in case of a firewall failure. As per the defense in depth model, multiple layers of protection should be implemented to effectively repel attacks.
One of the ways to stop a potential attacker on their path to valuable business assets is to divide and conquer.
Implementing DMZs and network segments is a way to go.
DMZs allow us to contain non-critical assets that require access of users separately, thus not letting a potential attacker put a leg inside the internal network.
Network segmentation, if implemented correctly, may leave an attacker jailed inside the subnet that doesn't have many valuable assets, so they will have to look for critical vulnerabilities in low-value targets in hopes of pivoting to another network segment, e.g. with database servers.
2. Data protection
The importance of backups is not that hard to understand: failures happen on both hardware and software levels.
More interesting cases are power outages or even natural disasters.
That's why any data and configurations related to a firewall should be backed up systemically daily, weekly or monthly, depending on how often rules are updated on your appliance.
Large vendors offer their backup systems with ease of use, but some custom solutions may be applied, too.
3. High Availability
High availability is a kind of network deployment when two firewalls are placed in a cluster with a synchronized configuration.
They are constantly checked to be alive by a heartbeat connection and allow for a seamless failover if one of the firewalls goes down.
High availability deployment has an obvious advantage over bypasses, as two equally configured firewalls don't leave the network unprotected even for a while.
5. Availability & performance monitoring
Having performance monitoring in place allows us to control our firewalls proactively and even predict possible failure.
There's plenty of metrics to collect from security appliances: CPU, disk, and memory usage, several sessions, intrusions detected.
Not only it allows us to be informed about firewalls' health, but also makes us aware of possible attacks.
The market has plenty of options for firewall monitoring, including SaaS solutions.
6. Preventing misconfigurations
These measures may be highly effective to minimize the possibility of firewall failure as they allow one to keep an eye on how it's working.
But it won't help the security team succeed if firewall rules are not that good.
Let's have a look at a portion of ways to make sure that the security appliance is configured right - for instance utilizing vendor security standards.
Know best practices may be good to rely on while configuring your firewall rules. All large vendors commonly have their knowledge base for clients to use.
7-8. Implementing versioning system and configuration audits
A good idea may be to implement a Version Control System (VCS), the same as we do with our code.
If the business size is relatively large, it may not be easy to control all the changes that the whole network administrators and security team are doing.
Implementing a small Git repository shouldn't take too much effort, but would have a large ROI, as all changes will be easily visible, so it's possible to make sure that no error or a deliberate mistake was done.
To make sure that your configs are up-to-date and eliminate mistakes that slipped through into configurations, we would like to recommend performing audits of the configs stored in the versioning system. It not only allows to fix errors that slip through but also to understand the history of vulnerabilities in the config files
9. Regular perimeter network security scan
We can also double-check security posture of our network perimeter by scheduled port scanning. The simplest way to do it is using a task scheduler such as Unix cron, but port discovery capabilities are also implemented in different vulnerability assessment tools like Nessus.
10-11. Advanced network security analytics
Using third-party firewall management solutions may save up some time, especially in large heterogeneous networks.
There are multiple vendors for that, some also offer attack surface management capabilities - mixing vulnerability intelligence data with network security model.
12. Defense in depth
In case your firewall device becomes vulnerable to some kind of 0-day vulnerability or has a bad history of security overall, it may be good to hide it behind a primitive network device that can apply some filtering to prevent exploitation of vulnerabilities in your firewall, but still, allow for enough bandwidth.
Some countries tend to use cascade of firewalls protecting themselves from possible back-doors in them.
13. Flow-based monitoring
Implementing flow-based monitoring may help you to pick up threats not visible by more "traditional" tools like NGFW, as later usually only watch network boundaries.
In a nutshell, tools like Flowmon or Cisco Stealthwatch route a copy of the traffic to an analyzer, to collect, correlate and analyze traffic.
This results in detecting DDoS attacks, C2 traffic, and different abnormalities of users' and devices' behavior.
Because its an independent control from a firewall you can spot attacker there.
14. Authentication of network flows
Network Access Control and self-protecting network solutions provide visibility of network devices, ensure proper authentication and even authorization of network connections, enforce policies and manage identities.
This is extremely hard for an attacker to pivot in such environment.
One of the solutions in this class is Cisco Identity Service Engine.
15. IPSec
A previous generation of previous control is a classic IPSec.
IPSec provides the capability to authenticate network packers making network security environment harder to circumvent.
Igor Voschyk
Big 4 consulting firm, Security Auditor & Penetration Tester