Common Network Security Misconceptions: Firewalls Exposed
May 6th, 2009
John Pirc | NSA-IAM, CEH
Abstract: As the commercialization of the Internet enters its third decade, the Web itself has evolved from sharing static information to driving dynamically connected mission-critical applications. While web applications and efficiencies of Web 2.0 are universally adopted, network security practices often still rely too heavily on the basic network firewall to block access to static information. Too many enterprises today believe their firewalls deliver "good enough" security to mitigate Internet-related threats and attacks. However, enterprises that do not currently have advanced network protection deployed face significant risk and are likely already compromised.
Emergence of the Firewall
In the 1990s, the firewall was the centerpiece of network security. With everyone making their first Internet connections, the threat landscape was just developing, and security best practices were to enforce access control and segmentation. The firewall was great for keeping unwanted intruders from connecting into your corporate network. As technology matured, firewalls began to include granular filtering capabilities, such as port, protocol and application-based filtering. The ability to control in-bound and outbound network traffic was and continues to be a network security best practice. As the growth of the Internet exploded in the mid 1990s with the introduction of E-Commerce sites, informational websites, email and other various internet protocols allowed us to isolate the specific traffic we would allow out of network such as web traffic (HTTP & SSL), the yellow pages of the Internet (Domain Name Service | DNS) and email protocols (SMTP, POP and IMAP). This was very effective for countering the threat landscape of the 1990s and early 2000s.
The illustration above in figure 1 is a high level example of a firewall in action. As you can see it’s blocking inbound "Unauthorized Access" and allowing outbound connections from the internal host to access web, DNS and Email servers. The basic firewall has no visibility into the content and context of network traffic, it only has the ability to react based on port, protocol and/or IP address. Additionally, this allows firewalls to process traffic quickly to achieve high rates of performance. You could achieve the same access control and segmentation protection a firewall provides you by utilizing a router and implementing an access control list (ACL).
Today, the attack surface is complex and constantly evolving and the classic methods of protection are not sustainable. Instead of dealing with attackers trying to gain authorized access as depicted in figure 1, we are dealing with dynamic precision-guided exploits that are driven from the internal host via the web browser by visiting a rogue website or clicking on an embedded link. These exploits will use just about any outbound port you have open on your firewall to exfiltrate data and/or compute power for nefarious activities.
Attackers Maximize their Return on Investment
The threat landscape has and will continue to evolve over time and has reached a new level of maturity. Rather than researching new vulnerabilities, attackers are merging several attack methods together to increase their return on that attack. Attackers know that defenses will be looking to prevent high profile vulnerabilities and attacks. Additionally, the attackers also realize a lot of infrastructures are relying on 1990s technologies to prevent the attacks of today. In most cases, corporations are still under the impression that a Firewall is providing them adequate and "just good enough security protection" needed to mitigate the attacks of today - and that is simply not true. Good enough security is a checkbox for disaster in my expert opinion. It’s good to highlight that firewalls provide great access control and segmentation, but a firewall will not stop attacks, such as SQL injection, cross site scripting and the majority of the attacks today.
In order to mitigate these web based/client side vulnerabilities like SQL injection and cross-site scripting, you need Deep Packet Inspection technology (DPI), which is illustrated in figure 2. According to the latest IBM X-Force trend report, "In 2008, SQL injection replaced cross-site scripting as the predominant Web application vulnerability. In fact, the overall increase of 2008 Web application vulnerabilities can be attributed to a huge spike in SQL injection vulnerabilities, which was up a staggering 134 percent from 2007". Another great resource for information is http://www.sans.org/top20/.
Best Practices: Firewall + IPS/UTM + Anti-Virus + Anti-Spam + Anti-Malware
Security best practices in today’s environment and regulatory compliance guidelines include deploying DPI technology to mitigate these types of attacks. Deep packet inspection technologies are implemented in Intrusion Prevention Systems (IPS), Unified Threat Management (UTM). Additionally, it’s important to also take advantage of additional content protection for Anti-Spam, Anti-Virus and Anti-Malware. It’s important to note, that if you do not currently have DPI deployed today, your organization is at significant risk and likely already compromised. The Heartland breach is a great example of how useless firewalls are in combating the current landscape. Please click on the link for further details: Heartland breach.
Dangers of firewalls exposed
The example illustrated in figure 3 below depicts the dangers of a firewall without DPI. In the illustration, the internal host makes a web request to a rogue web server. Since the firewall allows outbound web connections, it’s not going to stop the internal host from connecting to the rogue web server. Additionally, since the connection was established from the inside, it will allow the web server to respond back to the client on the internal network. As you can see the malicious web page below will flow uninterrupted right past the firewall and be executed on the internal host. This should be a cause for great concern since the majority of your business is conducted on the web. Additionally, the next generation work force is already taking advantage of the various social networking platforms for collaboration and will likely expect the freedom of collaboration on your corporate assets, including laptops and remote connectivity at home or aboard.
However, technologies like DPI can enable you corporation to perform various web transactions with a high level of security assurance against the various precision guided exploits I’ve mentioned with this paper. For further information regarding the current threat landscape, I would recommend reading the latest IBM X-Force trend report. In the illustration below, figure 4 provides an example of the effectiveness of deploying DPI technologies to protect your critical assets against web Bourne threats. The firewall is useless in this real-world use case. However, with DPI technology deployed you are able to mitigate the attack without the risk of compromising the internal host. With the rapid adoption of the Internet, Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Cloud Computing, the need for DPI and Anti-X technologies are going to be extremely import to deploy within your infrastructure to limit your risk and exposure from the threats that could impact business operations, compromise intellectual property and more importantly, your consumer base.
Threat Examples At-a-Glance
The following threat examples are actual threats that can and might have already impacted your business. As an example, SQL Injection, Cross-site scripting and Malware are popular methods for breaching Web servers and the end-points on your most trusted network. These methods can harness user credentials, credit card data, M&A activity and Intellectual Property to name a few. Aside from Cyber Warfare, Crime & Terrorism, your data is worth more alive then dead. As your business grows, so does the proliferation of information. Are you taking the proper steps to secure your infrastructure today?
Solutions & Strategies
In developing a comprehensive security strategy, often the question is asked, where do I start. The security equation has changed and we need to start thinking beyond the firewall and take proactive measures. Education and awareness are key, because what you do not know can hurt you. As I mentioned previously, threats today are precision guided and can harness user credentials, credit card data, M&A activity and Intellectual Property. Additionally, this does not account for the unintentional/intentional insider threat. A comprehensive approach includes protection for both end-point and network, but the focus of this paper is network based protection. It’s important to make sure the network security devices you are considering contain DPI as a main component, which can be found in an IPS, UTM, WAF or WAF features that are incorporated in an IPS and UTM.
The focus on web application protection is only going to increase with the proliferation of the World Wide Web. As I mentioned, DPI and Anti-X are critical to protecting your infrastructure. If your organization lacks resources and security expertise, many companies offer services where security professionals can architect, deploy and manage these protection devices for you; therefore, you benefit from the knowledge of the other clients under the managed services, which often includes best practices, lessons learned that can be immediately applied to your organization.