Firewalls seem like a fixture of IT security, having been used for more than 15 years in most business environments to protect our internal assets from the scary nasties that are out there on the big bad internet.
Of course, the origin of the term comes from the automotive business. The firewall is a fire protection barrier to stop engine fires from entering the passenger compartment.
Some things like the steering column and signalling wires are allowed through, but in a controlled manner that limits unwanted incursions.
I suppose what I am really proposing here is that we stop calling firewalls, firewalls. I’m partial to “intelligent security gateways”. Doesn’t quite roll off the tongue though.
When we first began deploying firewalls they were specifically designed for wired networks and were a literal physical barrier for packets. This is no longer the case.
Firewalls are not dumb barriers with a few holes drilled through them any longer. They are intelligent gatekeepers, more like the border patrol of a nation. Neither side is really inside or out, rather one area and another.
Hence my title, there is no inside. I am very frustrated by the under-utilization of modern firewalls, whether they are network devices or desktop versions.
We must judge our data by what it is, not where it is.
Too often we read the headlines and hear about another network intrusion that begins with “Once the criminals obtained valid network credentials they were able to explore the network and smuggle gigabytes of personal information/credit cards/state secrets/medical records to servers under their control.”
Why, in the 21st century, when much of our workforce is currently sitting in a cybercafe, airport, hotel or home office, do we still think that our employees are on the inside?
What about all of that data you shipped off to the cloud? Is it inside?
Modern firewalls are impressively equipped to help out with these problems.
One really obvious way to get more out of your firewall is to start scrutinizing what is going out from sensitive areas of your network with at least as much effort as you put into stopping unwanted connections coming from the other direction.
It can often be difficult to detect a perpetrator who has phished a valid set of credentials from one of your trusted users. In this case, noticing what information is being accessed and whether it is being sent off to a cloud storage service might be far more useful.
Why not protect your internal web servers and databases the same way? Whether it is a malicious insider or a malware infection, it hardly matters. If the data inside those servers and databases is worth protecting, it shouldn’t matter whether it faces the internet.
Another way firewalls can be used in “reverse” is looking for indications that you may be compromised by more advanced threats.
Often these attacks are designed to bypass anti-virus protection and can worm their way into your infrastructure. Why not watch the network for command and control traffic used by the crooks to control their devious applications?
The lack of segmentation has been a major problem with taking advantage of firewalls. When you think of them as gatekeepers, it makes sense to use one to segment off your HR, Engineering and Finance departments.
Many firewalls are available as low cost hardware appliances or can even operate as software on commodity hardware without any additional licensing cost. The cost of a small PC to protect your Finance department is pretty easy to justify.
Recently Paul Ducklin and I had a chat about the advancement of firewalling technologies and some ideas on how to take advantage of your firewall to be sure you’re getting the most from your investment. Why not give it a listen?
If you are in the market for a new firewall or just want to see how your current firewall vendor compares to Sophos, you can visit our Sophos firewall comparison page to see how we measure up.
More importantly for most of you, you can get this enterprise grade protection at home for absolutely no cost. I use it on my LAN (and even used it before I started working at Sophos!) and I am a pretty picky guy when it comes to securing my network.