cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ericgeater
Community Champion

When your firewall is your border...

(A follow-up to a previous question.  For this post, I'm going to leave sandboxing and honeynetting out of this topic, and strictly assume my code, web servers and email servers are healthy, and only require defensive attention.)

 

My UTM firewall is also my border gateway (or, it faces the carrier's router).  To the best of my knowledge, it's designed to take a licking from the internet side, and it's done a great job for a long time.  I do some NATting to an email server and some public web presence, but everything else is always deny.

 

During my study time, I received lots more in-depth information about tiered firewalls, DMZs, IDPS, and other types of border network segmentation (perimeter vs internal).  After that, no matter how much I like my UTM firewall, all I can see now are the NAT pinholes, and the risk to availability.

 

So now I want to add a layer of defense.  What are some good boundary solutions to place between the internet and a UTM, to keep availability resilient?

-----------
A claim is as good as its veracity.
7 Replies
dcontesti
Community Champion

So there are many ways to do this. 

 

I have seen folks develop a DMZ where they house public information but then they forget critical steps (they leave the incoming port on the DMZ and the outgoing port to the network the same, so traffic comes in on port x from the internet and goes into the production network on the same port...thus if I hack the first firewall, I can easily get through the next one).

 

One of the largest issues, we faced when doing firewall work was everyone wanting their application be available to anyone from anywhere.  This of course caused many issues.

 

So all the things that you mention (Sandboxing, IDS/IPS. Honeynets/pots, DMZ) help but I always recommend that folks do Data Classification and that someone (other than  you) accepts the risk to the ENTIRE network and not just their application.

 

Unfortunately all too often the business wants everything and they forget that the holes they are implementing exposes the entire organization.

 

I definitely would put an IPS in place (however, having said that, I would run it in IDS mode for a bit....so as to not shut down production or cause any issues).

 

One question, do you have an IT architect?  

 

OTHER folks, please chime in on this one.

 

Thanks

 

Diana

 

 

Shannon
Community Champion

 

@ericgeater, the primary advantage of a UTM is that it's one solution offering you many features that will be integrated for central management / reporting, usually with a lower OPEX.

 

(If you have multiple solutions, integration can be a pain, along with handling these if they're administered by different people.)

 

That being said, you should ensure that the UTM offers you the essentials to cover network security, including : -

 

  • NGF features (Packet filtering, NAT, VPNs, IDS / IPS, Application control, Deep packet inspection, Threat intelligence, Malware protection, etc.)
  • VPN gateway
  • WAF features
  • Proxy features

(If the UTM lacks any of these, you'll have to use other solutions for them, or procure additional licenses if the UTM itself offers these features)

 

To ensure availability concerns, you can opt for one or both of the following :-

 

  1. Deploy other solutions that provide similar features.
  2. Have the UTM in a high-availability / fail-over mode.

 

Option 1 may have higher operational costs, but it will give you defense-in-depth. Option 2 may be cheaper, but you'll run the risk of the UTM itself being exploited, in which case a fail-over system of the same type won't be of much use.

 

@dcontesti asked if you have an IT Architect, and if you don't, you should get one either to propose a design or review the existing one, coz a bad design / implementation can come back to bite you. (You will need one for whichever of the above options you choose.)

 

I'll be interested in knowing what approach you take...

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Caute_cautim
Community Champion

Being an architect, I thought I had best pipe in, my thoughts are yes, you should do the data classification, but I would extend that to risk management assessment as well.   Ask yourself, and your organisation, how is data flowing in and out of the organisation.  Is the border gateway, the only route it has?  Are there other means, which you may not be aware of i.e. shadow cloud, is a real thereat these days amongst many employees, without the organisation being away it is even happening.   You need to take a holistic perspective, understand the business, how it works, what is necessary to keep it working and what is essential.

 

E-mail and Web access may come through a different route, and bypass the border gateway? 

 

The Data Classification is important in association with the risk management assessment, as to whether your current controls are sufficient, to protect the organisation.   I would run workshops with various parts of the organisation, and challenge them, if they wanted to remove information from the organisation - how would they do it, which is a similar technique used in PCI DSS audits, i.e. how would you remove or access credit card details.   You may be surprised what comes out of it, don't be surprised that you may find some very ingenious methods being deployed to get around organisational controls.   Do you have a policy on Wi-FI and BYOD for instance, and how is this monitored? 

 

Do privileged administrators or others have roles and responsibilities, which have gather over a period of time, and why is DNS tunneling being permitted through the firewall for instance or a VPN you didn't know existed - why is it being used.  

 

An independent method would be to run a Penetration testing directly at the organisation for confirmation that the current controls are sufficient or insufficient or that other avenues are available, which you were not aware of.  

 

Review the network architecture, are there surprises in store?  When was the last time the network architecture was reviewed or the gateway rules validated and assigned to each owner for instance.  is there a valid business context for it existing?

 

There are many other aspects, but this should get you thinking.   Think like a burglar, if I wanted to obtain information i.e. infiltrate inwards or exfiltrate outwards, how would I do it?

 

Regards

 

Caute_cautim

vt100
Community Champion

Having designed, implemented and lived with the consequences of my decisions, I can recommend quite a few approaches to securing your crown jewels:)

 

Let's start small: a UTM solution capable of tackling most of the threats while affording great flexibility. Being a devoted proponent of Check Point's products, I can tell you that those could cover about 90% of your needs including HTTPS, TLS inspection, SNI to SAN matching for superior web filtering, Threat emulation on either Check Point cloud or locally on dedicated appliance with sandboxing in multitude of operating systems and environments, content awareness and on-premises DLP. To be fair to competition, Palo Alto and Fortinet have comparable (but not superior, IMHO) offerings.

 

Where they are lacking a bit is in DNS space, but you are better off using either Cisco Umbrella (formerly OpenDNS) or Infoblox ActiveTrust Cloud for this anyway.

 

In order to tackle most of the shadow IT, SaaS security and SaaS DLP, go with Symantec Cloud SOC.

 

Stop the IPv6 in IPv4 tunneling as well as QUIC protocol on your UTM to prevent uninspected traffic from traversing it.

 

Break your internal infrastructure in multiple segments and pipe it through UTM, if you are averse to complex routing environments, use L2 bridges to subject the traffic to inspection by Threat Prevention engines.

 

This should cover the basics for the edge of your network.

 

Vladimir Yakovlev, CISSP

higher.intelligence@gmail.com

 

Caute_cautim
Community Champion

@vt100Everyone has preferences - but we have to ensure that these do not cloud our judgement or the client's budget as well.   You could also try Quad 9 DNS, https://www.quad9.net/, which is similar to the Cisco Umbrella approach as well, which is also a good alternative. 

 

There are other CASB providers as well, which should be reviewed as well such as Force-point for instance, which includes the DLP capabilities you discussed too.

 

There is a vast amount of suppliers, all willing to flog their goods, we should remain open minded, but having good reference architectures as a baseline for design purposes is a good way to reduce re-work.

 

Regards

 

Caute_cautim

ericgeater
Community Champion

We do operate our UTM in a HA/FO mode, by the way.  And we really do have a limited number of resources which NAT through the firewall, so we have that going for us... 

 

We may have never considered an architect, by the way, because it is a limited number of NATted resources... which, knock on wood, seems to be a blessing at the moment.

 

thanks!

-----------
A claim is as good as its veracity.
vt100
Community Champion


@Caute_cautim wrote:

@vt100Everyone has preferences - but we have to ensure that these do not cloud our judgement or the client's budget as well.   You could also try Quad 9 DNS, https://www.quad9.net/, which is similar to the Cisco Umbrella approach as well, which is also a good alternative. 

 

There are other CASB providers as well, which should be reviewed as well such as Force-point for instance, which includes the DLP capabilities you discussed too.

 

There is a vast amount of suppliers, all willing to flog their goods, we should remain open minded, but having good reference architectures as a baseline for design purposes is a good way to reduce re-work.

 

Regards

 

Caute_cautim


The Quad 9 from IBM is an excellent public secure DNS service but that's all it is. The Umbrella actually redirects DNS calls to itself and proxying traffic out to destination. In addition, it does extensive logging and analytics on the user traffic, which Quad 9 cannot do.

This comes in handy when your users are mobile and are working not only from inside the perimeter, but from outside as well.

 

This being said, I do prefer to have a vendor agnostic designs. If it's conceptually sound, plug-in the solution of your preferred vendor, just pay attention to specific platform caveats and limitations.

 

Specifically on a subject of Forcepoint: I see users gravitating away from it of late. I have built the Websense Triton environments before they become Forecepoint and it was pretty labor-intensive system to operate back in a day. Good one, but it did require dedicated admins.

 

Regardless of your choices, it is always a good idea to check on the current and past number of vulnerabilities of the security products being considered. Good independent resource for that is https://www.cvedetails.com/vendor-search.php