03 Oct 2016

I was surprised how many people I talked to were not aware of this specific topic so I figured I would shed some light for all.

To keep things simple, I will address the business and technical angles separately.

First, technology:

For those who want to skip this section, here is the high level summary:

  • If your firewall is old: it’s letting a whole lot of bad things go through
  • If your firewall vendor as not kept up to date with technology: your firewall is letting a whole lot of bad things go through
  • If you bought a great firewall, but did not buy all the fancy software that could come with it: it’s letting a whole lot of bad things go through
  • If you have not spent the time setting up the security settings of your firewalls and are not reviewing them regularly: it’s letting a whole lot of bad things go through

The details:

Many of the firewalls that have been deployed in the past (and sadly even some that are deployed today) only rely on what is referred to as Stateful Packet Inspection (SPI). When CPU was expensive and bandwidth was growing, this was way better than just a router. It did all the things you expected:

  • It used Access Control Lists (ACL) to let the traffic go where it was supposed to go, but not where it was not (down the protocol and port level)
  • It was smart enough to understand how a network handshake worked and only allowed packets that were parts of an established conversation
  • Some were even smart enough to detect basic attacks (SYN flood, port scans…)

What they did not do: Inspect that actual content of the packets

And in today’s world that is unacceptable.

The Internet is a place of wonders, but it is also a fairly unsafe place. Gone are the days where hackers were hobbyist that wanted to learn new systems and help their owners improve them. The so called “black hat” hackers are now using their talent for profit and it is becoming a huge industry. Although many organizations are not necessarily targets (this is becoming less and less true), many attacks today just aim for everyone. It is just a game of numbers, even you have a %0.001 percent success rate, targeting 100 million people still gives you 1,000 successes. A good example of this is ransomware (read my previous post here for more details).

So a firewall today needs to do a lot of things:

  • It needs to look at every single packet going through (It needs at look at those packets individually (some malware decompose itself to avoid signature detection) and it needs to look at those packet as a conversation to make sure no one is trying to inject something (or themselves) in the conversation)
  • It needs to look for malware
  • It needs to detect (and stop) intrusions
  • It needs to enforce safe web browsing
  • It needs to be kept up to date (web sites, signatures and firmware)
  • It needs to understand applications (why is my web server sending SQL delete table commands?)

And that is the just the minimum, some of the things you should also be looking for:

  • Inspecting encrypted traffic (more and more websites are using HTTPs)
  • Stop and test files it does not already know about (more and more malware evade signature detection)
  • You should have monthly reports of all the devices with missing patches and lagging antivirus signatures

And here is my favorite of all: configure it properly! (I am still shocked how many environments we walk in that bought the right equipment, but all the goodies are turned off).

Side note: a comment I hear often: “I don’t need anti-virus on my firewall, I have it on my PCs”, you should have both!!! If there is a bad wolf trying to get in your house while your sleeping, do you prefer that it gets stops at the front door and that worst case scenario if it gets in it will be stopped by your bedroom door, or do you just leave the front door open and hope that all the bedroom doors are closed?

If you want to learn more, here is a website that does a great job at going into more details of SPI vs DPI.

http://www.sans.edu/research/security-laboratory/article/pirc-john-firewalls

Second, business:

In this case, justifying the investment can be harder: you are investing against an intangible risk. But, if you look at it the other way around you are ensuring to keep your company in business and are ensuring predictable costs (no unexpected spend to clean up the environment or restore your reputation). Think of it as insurance against the wild wild west that the Internet is becoming. The good news is that you can verify how leaky (or not!) your firewall is through a security assessment. Here are a couple of statistics to help you make a business case:

  • In 2015, 43 percent of Spear-Phishing attacks targeted small businesses (Symantec 2016 Internet Security Threat Report)
  • A single crypto-malware or ransomware attack can costs small and medium-sized companies up to $99,000 (Corporate IT Security Risks Survey 2016, Kaspersky)
  • 19% of consumers surveyed would stop shopping at a retailer that had been the victim of a hack, and 33% would stop shopping at that retailer for at least three months (businessinsider.com August 2016)

I also wanted to provide a couple of scenarios we see commonly and provide some options.

  • If your current firewall is over 2 years old and does not support the feature you require, getting a new one is probably the best option.
  • If your current firewall is still fairly new or not amortized enough and it supports the new features you need via a license upgrade, evaluate the cost of that license upgrade versus getting a brand new firewall that includes those features, you may be surprised.
  • If your current firewall is still fairly new or not amortized enough, but does not support the new features (or it supports it, but the cost for it does not make sense) there is also an hybrid option: keep your current firewall at the edge, but add a new firewall behind it to do the extra scrubbing (this is probably cheaper than you think).

The important point is to view the problem from the right angle, it is not about “can you afford the security you know you need” it is “can you afford not to have the security you know you need”.

As always, please post comments below and reach out to me if you have any questions or want to schedule an assessment.

Loïc

 

Here are a couple of my other posts that may be of interest: