Getting the most out of your next generation firewall
Next generation have a lot of useful features, but they only work if IT pros use them, configure them properly and keep them updated.
Are you getting the most out of your next generation firewall? Probably not if you take to heart recent research from SafeBreach.
SafeBreach, a relative newcomer to the security arena -- it was founded in 2014 -- sells premise and service packages that continually run network breach simulations that help customers locate and remediate security problems.
Specifically the company deploys software probes distributed throughout customers’ networks, and attempts to establish connections among devices and network segments just as a hacker would do in attacking your data. These breach attempts are defined by SafeBreach’s Hacker’s Playbook, a library of known attack methods that uncover network security weaknesses and how these vulnerabilities might be exploited.
The company recently discussed some of the chief issues it has found in customer test results that show many users of so-called next-generation firewalls (NGFWs) are perhaps not getting the full benefit of those packages because of bad configurations, legacy security methods and more.
Typically NGFWs feature a multitude of security technologies from intrusion-detection and deep packet inspection to SSL, HTTP or TLS examination capabilities. A wide variety of vendors sell these powerful and sometimes complex NGFW packages including Cisco, Palo Alto Networks, Fortinet, Check Point, Huawei, Sophos, Juniper Networks, Barracuda Networks, WatchGuard, Sangfor, Hillstone and SonicWall.
According to SafeBreach the power of NGFWs comes from the product’s ability to implement rich security policies based on applications and users, instead of ports and protocols.
“These policies should be easier to define than legacy firewalls. However, mistakes may occur due to human error. Additionally, errors may occur when security teams use auto-migration tools provided by vendors to migrate their existing firewall policies. Breach and attack simulation enables security teams to both optimize policies to minimize security exposure, and verify that changes are effective and don’t introduce unintended consequences,” the company said.
Chris Webber, a security strategist with SafeBreach says configuration errors are one of the most frequently occurring issues with NGFWs.
“Many users get tripped-up if the only rely on vendor-supplied defaults,” Webber said. “A next generation firewall can be like having a Swiss army knife on your network but many times its features aren’t turned on. which lets attackers gain access.”
Webber also noted that most vendors provide auto-migration tools to help new customers migrate from their legacy firewalls to NGFWs but that errors may occur during this process as vendor features and architecture can vary.
SafeBreach said it has discovered breach scenarios due to these policy gaps and errors resulting from assumptions about new NGFW vendor default policies and auto-migration challenges.
Another issue is that many users don’t decrypt encrypted traffic like SSL, TLS, and SSH which can become a major blind spot for customers, Webber said. It is a common attacker tactic to hide malware, etc., in this traffic. NGFWs can terminate and inspect encrypted traffic to stop these threats but unfortunately this capability isn’t utilized as often as it should be, he said.
Indeed, Cisco defined the issue in its 2018 Cybersecurity Report saying 50 percent of global Web traffic was encrypted as of October 2017.
“That is a 12-point increase in volume from November 2016. One factor driving that increase is the availability of low-cost or free SSL certificates. Another is Google Chrome’s stepped-up practice of flagging unencrypted websites that handle sensitive information, like customers’ credit card information, as ‘non-secure’,” the report said.
“Businesses are motivated to comply with Google’s HTTPS encryption requirement unless they want to risk a potentially significant drop in their Google search page rankings. As the volume of encrypted global web traffic grows, adversaries appear to be widening their embrace of encryption as a tool for concealing their [command and control] activity. Cisco threat researchers observed a more than threefold increase in encrypted network communication used by inspected malware samples over a 12-month period. Our analysis of more than 400,000 malicious binaries found that about 70 percent had used at least some encryption as of October 2017,” Cisco stated.
Webber pointed out another issue with NGFWs is overlooked coverage of network segmentation which is in place to increase the protection of enterprise assets.
Next-generation firewalls are deployed to segment internal networks. “It’s important to continuously validate that segmentation is actually working, as segmentation is a great security best practice to break the kill chain and stop attackers from moving deeper into the network. SafeBreach has discovered internal servers (assumed to be properly segmented) were actually communicating out to command and control servers,” the company stated.
“Customers can’t just focus security on the edge any more – those days are long behind us. Attacks can come from anywhere,” Webber said.
Another key issue is getting a handle on Internet of Things traffic. “NGFWs are an excellent way to corral IoT traffic but customers need to set new policies and validate others to truly make it work effectively,” Webber said.
Cisco’s research took the IoT problem further, stating that “adversaries are already exploiting security weaknesses in IoT devices to gain access to systems — including industrial control systems that support critical infrastructure. IoT botnets are also growing in both size and power, and are increasingly capable of unleashing powerful attacks that could severely disrupt the Internet.”
“Attackers’ shift toward greater exploitation of the application layer indicates that this is their aim. But many security professionals aren’t aware of, or they dismiss, the threat that IoT botnets pose. Organizations keep adding IoT devices to their IT environments with little or no thought about security, or worse, take no time to assess how many IoT devices are touching their networks. In these ways, they’re making it easy for adversaries to take command of the IoT .”