A firewall is not enough!

Zombies attack Firewall

How secure is your firewall?

In these interesting times, having a firewall simply isn’t enough to give you protection from threats to your data and systems, not to mention your reputation. Do you really know how secure your firewall is?

This post is not intended to be a technical discussion of firewalls and network protection but more an attempt to raise an awareness and inform as to what’s happening out there from a security perspective. What you can do about it to minimise the risk whether you’re a home user, small business or a large organisation.

2020 has seen an explosion in “cyber” (hate that word) attacks with the IT governance website in the UK reporting that there has been some 276 million records that have been breached. So what has caused the upsurge in attacks? Well you won’t be surprised to find out it’s Covid-19 related. With the sudden lockdown, IT staff worked furiously to enable staff that normally worked in secure office locations, to work from home. You can find an eloquent description on the checkpoint.com’s Cyber attack trends blog post

The home user/worker

Let’s take the home user/worker to start with. Most users don’t have any ports open that would allow attackers access to the home network. There are two areas of concern here

User accessing a compromised site
Router bugs / firewall threats

The first allows malicious code such as ransomware etc to infect the user’s machine and compromise the integrity of not only the local network but if connected to the office system, the company network as well. The second may come as a surprise, but check out the website at routersecurity.org. You might think you’re secure by using a big name brand but think again. The list of vulnerabilities is a little scary to say the least!

Securing home networking

The home worker may be using their home PC or have a company supplied one for use in connecting to the remote office system. There’s the usual issue of ensuring that the anti-virus software and operating system is up to date, but what about malware inadvertently installed by a visit to a malicious site? Even innocuous changes to settings may have dramatic effects such as appearing in a ZOOM conference as a cat!. If you haven’t seen this have a look at this 🙂

In short as this post is about firewalls, where possible use remote desktops for remote workers. You have more control of the office PC than you do of the PC at home.

Company/Office firewall

The company firewall is the gatekeeper for access to your system. But not all gates are as well made as they claim to be. Throwing lots of money at it and buying big name brands doesn’t necessarily mean it’s the best and most secure option either. Once again, checkout routersecurity.org. Being a company firewall, you’re more than likely to have ports open which means, excuse the pun, you’re in the firing line.

The big question is, how do you know the ports are secure? Well you can do regular port scans but that’s only going to tell you what’s open not who’s using it. What you really need is something which will tell you who’s accessing the port and in addition warn you of any suspicious activity. Typically any open ports are scanned around 5 times a second! This is where “Intrusion detection and prevention systems” come in (IDS/IDP). Think of it like this. You’re in your home with the front door locked and feeling secure, but all the time zombies are scratching at your door, trying different keys in the lock and looking for any unlocked windows and any weakness in your security. It’s relentless and if you’ve left anything insecure for a few minutes they’ll find it and they’re breached your best first line of defence.

What are Intrusion detection and prevention systems?

Firstly, they are two separate solutions what work together. The detection element looks at activity on the network BEFORE it hit’s your firewall rules. i.e. you have a camera on your front door and can see what the zombies are trying to do. This can give you clues as to what is being attempted and gives you a chance to consider a better defence, like locking down access to known IP addresses or Geofencing (we block all traffic from certain countries etc). The protection element adds firewall rules to block these attempts before they hit your main firewall rules. Some tuning is required to ensure you don’t block legitimate traffic. It should also be pointed out that these packages will also examine traffic leaving your site and potentially flag up compromised systems behind your firewall, ie compromised machines within your secure network. There are of course proprietary IDS/IDP solutions out there, but there are also some very good open source ones too, such as Snort and Suricata for you to have a look at.

IP Block lists

There are a plethora of free to use block lists out there for you to use on a firewall but many people don’t know that they exist. You may be familiar with Fail2ban as a means of blocking IP’s that try to brute force passwords, but did you know you can send these IP’s to a central list to share with others and vici-versa?