5 firewall features IT pros should know about but probably don’t
- 10 February, 2020 16:00
Firewalls continuously evolve to remain a staple of network security by incorporating functionality of standalone devices, embracing network-architecture changes, and integrating outside data sources to add intelligence to the decisions they make – a daunting wealth of possibilities that is difficult to keep track of.
Because of this richness of features, next-generation firewalls are difficult to master fully, and important capabilities sometimes can be, and in practice are, overlooked.
Here is a shortlist of new features IT pros should be aware of.
Dividing a single physical network into multiple logical networks is known as network segmentation in which each segment behaves as if it runs on its own physical network. The traffic from one segment can’t be seen by or passed to another segment.
This significantly reduces attack surfaces in the event of a breach. For example, a hospital could put all its medical devices into one segment and its patient records into another. Then, if hackers breach a heart pump that was not secured properly, that would not enable them to access private patient information.
It’s important to note that many connected things that make up the Internet of Things (IoT) have older operating systems and are inherently insecure and can act as a point of entry for attackers, so the growth of IoT and its distributed nature drives up the need for network segmentation.
Firewall policies and rules are the engine that make firewalls go. Most security professionals are terrified of removing older policies because they don’t know when they were put in place or why. As a result, rules keep getting added with no thought of reducing the overall number.
Some enterprises say they have millions of firewall rules in place. The fact is, too many rules add complexity, can conflict with each other and are time consuming to manage and troubleshoot.
Policy optimisation migrates legacy security policy rules to application-based rules that permit or deny traffic based on what application is being used. This improves overall security by reducing the attack surface and also provides visibility to safely enable application access.
Policy optimisation identifies port-based rules so they can be converted to application-based whitelist rules or add applications from a port-based rule to an existing application-based rule without compromising application availability.
It also identifies over-provisioned application-based rules. Policy optimisation helps prioritise which port-based rules to migrate first, identify application-based rules that allow applications that aren’t being used, and analyse rule-usage characteristics such as hit count, which compares how often a particular rule is applied vs. how often all the rules are applied.
Converting port-based rules to application-based rules improves security posture because the organization can select the applications they want to whitelist and deny all other applications. That way unwanted and potentially malicious traffic is eliminated from the network.
Historically, workers accessed corporate applications from company offices. Today they access legacy apps, SaaS apps and other cloud services from the office, home, airport and anywhere else they may be.
This makes it much easier for threat actors to steal credentials. The Verizon Data Breach Investigations Report found that 81 per cent of hacking-related breaches leveraged stolen and/or weak passwords.
Credential-theft prevention blocks employees from using corporate credentials on sites such as Facebook and Twitter. Even though they may be sanctioned applications, using corporate credentials to access them puts the business at risk.
Credential-theft prevention works by scanning username and password submissions to websites and compare those submissions to lists of official corporate credentials. Businesses can choose what websites to allow submitting corporate credentials to or block them based on the URL category of the website.
When the firewall detects a user attempting to submit credentials to a site in a category that is restricted, it can display a block-response page that prevents the user from submitting credentials.
Alternatively, it can present a continue page that warns users against submitting credentials to sites classified in certain URL categories, but still allows them to continue with the credential submission. Security professionals can customise these block pages to educate users against reusing corporate credentials, even on legitimate, non-phishing sites.
A combination of machine learning, analytics and automation can block attacks that leverage the Domain Name System (DNS). In many enterprises, DNS servers are unsecured and completely wide open to attacks that redirect users to bad sites where they are phished and where data is stolen.
Threat actors have a high degree of success with DNS-based attacks because security teams have very little visibility into how attackers use the service to maintain control of infected devices. There are some standalone DNS security services that are moderately effective but lack the volume of data to recognise all attacks.
When DNS security is integrated into firewalls, machine learning can analyse the massive amount of network data, making standalone analysis tools unnecessary. DNS security integrated into a firewall can predict and block malicious domains through automation and the real-time analysis that finds them.
As the number of bad domains grows, machine learning can find them quickly and ensure they don’t become problems.
Integrated DNS security can also use machine-learning analytics to neutralise DNS tunnelling, which smuggles data through firewalls by hiding it within DNS requests. DNS security can also find malware command-and-control servers.
It builds on top of signature-based systems to identify advanced tunnelling methods and automates the shutdown of DNS-tunnelling attacks.
Dynamic user groups
It’s possible to create policies that automate the remediation of anomalous activities of workers. The basic premise is that users’ roles within a group means their network behaviours should be similar to each other. For example, if a worker is phished and strange apps were installed, this would stand out and could indicate a breach.
Historically, quarantining a group of users was highly time consuming because each member of the group had to be addressed and policies enforced individually. With dynamic user groups, when the firewall sees an anomaly it creates policies that counter the anomaly and pushes them out to the user group.
The entire group is automatically updated without having to manually create and commit policies. So, for example, all the people in accounting would receive the same policy update automatically, at once, instead of manually, one at a time.
Integration with the firewall enables the firewall to distribute the policies for the user group to all the other infrastructure that requires it including other firewalls, log collectors or applications.
Firewalls have been and will continue to be the anchor of cyber security. They are the first line of defence and can thwart many attacks before they penetrate the enterprise network.
Maximising the value of firewalls means turning on many of the advanced features, some of which have been in firewalls for years but not turned on for a variety of reasons.