"There is no inside" - How to get the most from your firewall

Filed Under: Featured, Privacy, Security threats

shutterstock_SecurityDoNotEnter170Firewalls seem like a fixture of IT security, having been used for more than 15 years in most business environments to protect our internal assets from the scary nasties that are out there on the big bad internet.

Of course, the origin of the term comes from the automotive business. The firewall is a fire protection barrier to stop engine fires from entering the passenger compartment.

Some things like the steering column and signalling wires are allowed through, but in a controlled manner that limits unwanted incursions.

I suppose what I am really proposing here is that we stop calling firewalls, firewalls. I'm partial to "intelligent security gateways". Doesn't quite roll off the tongue though.

When we first began deploying firewalls they were specifically designed for wired networks and were a literal physical barrier for packets. This is no longer the case.

Firewalls are not dumb barriers with a few holes drilled through them any longer. They are intelligent gatekeepers, more like the border patrol of a nation. Neither side is really inside or out, rather one area and another.

Hence my title, there is no inside. I am very frustrated by the under-utilization of modern firewalls, whether they are network devices or desktop versions.

DataWordle200We must judge our data by what it is, not where it is.

Too often we read the headlines and hear about another network intrusion that begins with "Once the criminals obtained valid network credentials they were able to explore the network and smuggle gigabytes of personal information/credit cards/state secrets/medical records to servers under their control."

Why, in the 21st century, when much of our workforce is currently sitting in a cybercafe, airport, hotel or home office, do we still think that our employees are on the inside?

What about all of that data you shipped off to the cloud? Is it inside?

Modern firewalls are impressively equipped to help out with these problems.

One really obvious way to get more out of your firewall is to start scrutinizing what is going out from sensitive areas of your network with at least as much effort as you put into stopping unwanted connections coming from the other direction.

It can often be difficult to detect a perpetrator who has phished a valid set of credentials from one of your trusted users. In this case, noticing what information is being accessed and whether it is being sent off to a cloud storage service might be far more useful.

shutterstock_ServersShield170Many organizations have started using next-generation firewalls to protect internet-facing databases and web servers from SQL injection and other common data theft attacks.

Why not protect your internal web servers and databases the same way? Whether it is a malicious insider or a malware infection, it hardly matters. If the data inside those servers and databases is worth protecting, it shouldn't matter whether it faces the internet.

Another way firewalls can be used in "reverse" is looking for indications that you may be compromised by more advanced threats.

Often these attacks are designed to bypass anti-virus protection and can worm their way into your infrastructure. Why not watch the network for command and control traffic used by the crooks to control their devious applications?

The lack of segmentation has been a major problem with taking advantage of firewalls. When you think of them as gatekeepers, it makes sense to use one to segment off your HR, Engineering and Finance departments.

Many firewalls are available as low cost hardware appliances or can even operate as software on commodity hardware without any additional licensing cost. The cost of a small PC to protect your Finance department is pretty easy to justify.

Recently Paul Ducklin and I had a chat about the advancement of firewalling technologies and some ideas on how to take advantage of your firewall to be sure you're getting the most from your investment. Why not give it a listen?

(Audio player above not working? Download, or listen on Soundcloud.)

If you are in the market for a new firewall or just want to see how your current firewall vendor compares to Sophos, you can visit our Sophos firewall comparison page to see how we measure up.

More importantly for most of you, you can get this enterprise grade protection at home for absolutely no cost. I use it on my LAN (and even used it before I started working at Sophos!) and I am a pretty picky guy when it comes to securing my network.

Click to get the Sophos UTM Home Edition for free...

Server with shield image and Unsafe Area sign courtesy of Shutterstock.

, , ,

You might like

19 Responses to "There is no inside" - How to get the most from your firewall

  1. jrodgers@dis.n-i.nhs.uk · 407 days ago

    How about "Application delivery controllers"?

  2. Anonymous · 407 days ago

    I always used to joke about how you had to watch out that the firewalls didn't cause any explosions in the ether from the ethernet.

    The real reason firewalls aren't used more inside the internal network are not knowing exactly what's needed, and the administrative difficulty of making needed changes. It would be nice if all publishers documented all of the network ports needed for all of their software, but they don't. So you try to identify what the software needs, and you think you've got it, but then find out you missed something it needs under extraordinary circumstances. So then you have to open another port on the firewall, but your organization makes you fill out form QXYZ-1261832 and wait 15 weeks for approval before you can do that. So it's a lot easier not to put up internal firewalls.

    And even if it's only one PC, you still have to justify that expense at a time when companies are trying to eliminate as much as possible.

    • LonerVamp · 406 days ago

      Software aside, it's also about the company asking itself who needs access to what. And that becomes a huge pain when trying to implement internal firewalls where before there never was any.

      Besides which, it's still a reality in a Windows environment that your most important systems are still needing the most risky ports opened for everyone internal Windows ports on DCs and fileservers, etc.).

      Always hard to get traction there.

  3. w8sdz · 406 days ago

    You could use the term that the Republicans are always ranting about: "Secure Border Gateway".

  4. Reader · 406 days ago

    Sophos' firewall is apparently not made for Macs. :-(

    • Paul Ducklin · 406 days ago

      If you mean what we call our "endpoint firewall," that is indeed Windows only. That's a part of Sophos Endpoint Security and Control that is installed right on your PC. It provides a range of firewall-like features, including some stuff you can't do on an "inbetween firewall," such as associating network traffic directly with the application that originated it, and allowing or blocking it on that basis.

      That's yet another use of the word "firewall" - one we're pretty much stuck with - but not the one that's meant here.

      Sophos's firewall _in the sense you will hear us use in the above podcast_ (i.e. the sort of firewall that sits between the computer you want to protect and the rest of the world, not on that computer) is perfectly fine with Macs. And iOS, Android, Windows, Linux, or whateverelseitmightbe.

      Hope that clears up any terminological confusion...

  5. Bill · 406 days ago

    Mixing up IDS/IPS and firewalls there - appreciated that at the low end commercial and public regularly these are (quite often badly) rolled together. But in proper circles these are often kept seperate. Plus, on a minor note, I was under the impression firewall came from houses, not cars.

    • Paul Ducklin · 405 days ago

      They both involve looking at network packets to a greater or lesser depth. The idea that it is somehow "improper" to do them together doesn't really make sense.

      Having said that, if you use Sophos's UTM-flavoured firewall - call it a firewall++ if you will - then our licensing means you can run two of them, one doing old-skool firewalling only, and the other doing IDS only, thus keeping them separate.

    • Modern firewalls perform IPS and many other services to ensure the security of the environment.

      As to the origin of the word firewall, it appears to go back to eighteenth century America, but doesn't appear to have originated from any specific application.

  6. TonyG · 406 days ago

    A decent firewall set up by someone who knows a little bit about security is probably as important, if not more important, than anti-virus these days. After all, it is better to stop the malware getting in than simply trying to stop it and remove it once it is already inside.

    One point about firewalls - the simple ones probably cannot keep up any more - a web browser used to have only one or two connections at a time - now it is more like 30; each user may easily have 50 connections to the outside world, and so a 10 user small office may have 500 connections. This starts to need significant performance in a firewall if it is not going to become a bottleneck.

    • Paul Ducklin · 405 days ago

      A firewall with no or little anti-virus specific detection abilities is going to hit some serious limitations detecting malware, known and unknown. (How would it deal with malware on a USB key, for example? Or in a webmail attachment? Or in an exploit kit that has been injected into a legitimate web site?)

      Defence in depth says go for both approaches (plus put anti-virus capability into your firewall, and firewall capability into your anti-virus).

  7. MikeP_UK · 406 days ago

    The problem with the Sophos UTM firewall, or whatever you want to call it, is that it needs a separate PC on which to run it and that effectively becomes a 'server'. Very, very few home users have a 'spare' PC on which to run the software and a great many do not even have a 'network', relying solely on their own PC connected directly to their Router/Modem which may have a 'built in' 'firewall system' that performs packet inspection duties, etc. Most of those who do run a network do not use the server-based method, relying largely on the router features.
    So we home users are not able to make use of UTM unless we totally reconfigure the systems we have and I doubt many will be that bothered to spend the time and money for what may seem little return.
    What we need is a decent firewall that can be run on each and every PC/Laptop/etc that is used at home or on the move. Without that, we are vulnerable. So some use 'free' firewalls - but how good are they? Others use 'paid for' firewalls and again how good are they?
    Then consider how many small businesses don't use a server-based system. Many who have just two or three PCs don't go to the expense of a server system - but they need protection just as much as big businesses do and so do we little home users.
    So how about Sophos providing a firewall system that does not need a separate server?

    • VL-S · 405 days ago

      Cost of a refurbished desktop...somewhere between 150 to 200 (one time cost). Cost of cable TV...50 - 100 per month. Perhaps the the home/small business owner needs to weigh her/his priorities.

    • Jim · 405 days ago

      I think the "separate server" concept is because it's a security best practice. Firewalls should always be independent of other entities on the network, including routers and other servers.

      In a home environment, this can be bypassed by simply calling it a server, but using it for much more.

      HOWEVER, there is a cost. That rule wasn't made for nothing. If the firewall device does any other tasks, that means it has more connections available, and thus is open to hacks that would not otherwise be able to get through a firewall.

      For example, if I put IIS and a firewall on the same internet-facing device, then that device is vulnerable to both attacks against the firewall component and against the IIS component. Hackers pick the low-hanging fruit, and that's almost certain to be IIS in this example. If they can get either elevation or RCE, it's very likely they can compromise the firewall from there.

    • Paul Ducklin · 405 days ago

      The Sophos UTM isn't for everybody. (Though I question the assertion that "very, very few home users" have a spare PC. Many might not; but many certainly do, especially in the developed world.)

      The UTM is specifically designed to provide an independent barrier between your PC and the internet, rather than to be part of the protection that runs on your PC.

      Ironically, perhaps, our anti-virus (which is more than just a virus scanner, of course - it examines network traffic too, by way of detecting suspicious stuff) is free for up to 12 Windows computers...

      ...managed from the UTM, free with the free UTM licence :-)

      If you have a router with a built-in firewall, and that's all the protection you want to spend money on, then you don't need the UTM. If you do get hold of a suitable spare computer, then you can place the UTM between your router and your PC for extra security.

      If you really want to, though it's a bit of effort, you could use (say) VirtualBox on your single computer and run the UTM in that...not as secure or simple as a separate box, but it *can* run on the same device that you use for everything else, if you really want it to.

      • MikeP_UK · 405 days ago

        Talk of using a server suggests that you need a device that has 2 NICs, one for the connection to the modem and the second to 'serve' the rest of the internal network, perhaps via a router. That 'server' has to be sufficiently fast to cope with the level of traffic expected through the network as a whole. I don't know of any commercially available laptop that can run 2 NICs.
        To use another device that is connected alongside (parallel instead of series) the other devices on the network means that anything that can appear on the internal side of the network can affect/infect all such devices.
        Many do not have a 'spare' PC available. I help many local retired people to learn how to use PCs, etc and none of them will ever have a 'spare' device. Many do not have access, nor want it, to cable TV in the UK. So such 'costs' are not relevant.
        Remember that most people are not geeks and only have what they need, even if they are not fashionable.
        But in common with big business they all want to be secure.

      • Bart · 405 days ago

        I would like to know how much expertise is involved in setting up an old PC between our router and wireless home network of two Macs.

        On the UTM Home Edition page I clicked on the link to Visit our support forum and was returned a blank page. Can one get installation help there?

        • I'm not sure why you are having trouble connecting to the forum, but that is a great place to get help. I use the UTM in a virtual machine and it works great.

          Perhaps you can try using a different browser to see if that works better? I use the following URL when I connect. https://www.astaro.org/

  8. Alexa Kindler · 405 days ago

    According to Wikipedia, firewalls were used in ships, train engines and other steam-powered vehicles back in the 19th century, long before there were automobiles

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.