Lets talk firewalls. It used to be that if you had a firewall
then you were basically protected against a lot of the threats that
are in the world today. While yes it is true that having a firewall
in place will help mitigate a lot of threats it is still not the only
thing you need on your network or servers. Ok, now that the
disclaimer is out of the way, lets move onto the firewall subject at
hand. From a security standpoint they can help by letting you (the
good guy) see different things on your network while keeping others
(possibly bad people) from fingerprinting your network. Even with a
wealth of types of firewalls including packet filtering, proxy
firewall, and stateful inspection firewalls I would like to cover the
approach of utilizing a firewall to hide behind.
Why would you want to hide? Or what do I gain from being
invisible?
Think about it for a second from the mind of a malicious person.
Actually, lets take the standpoint of an inside threat. As a
disgruntled employee you are wanting to take down something on the
network on your last day of work. You just don't give a crap anymore
and you wont see any of these people after you leave your little
present anyway. You, as a network administrator had previously
decided to try and mitigate some risk by setting up some firewalls.
Each department is blocked from other departments and each department
only has access to the areas of the network that they need access to.
Sounds simple enough right? Wrong.
I have seen quite a few networks where the network administrator
will simply setup the network to allow everyone access to each part
of the network as it makes their job easier. Having firewalls in
place throughout your INTERNAL network is just as important as having
firewalls block threats from outside your network. The biggest thing
that keeps people from doing this is cost. As a disclaimer, I am a
big Cisco guy and so my networks are usually segregated by Cisco
routers. In any vendor network there will almost always be some sort
of method to control traffic. Your setup could be a router on a
stick or a 50+ internal router setup but it all boils down to the
firewall rules that you put into place.
I will cover a couple brief methods of firewalls so I don't leave
you hanging in the wind. The previously mentioned one was with Cisco
gear. ACL's can work wonders. These little things on gear you
already have can be your first line of defense for keeping people in
Customer Support from getting to the Accounting computers. Another
option is the use of transparent Linux firewall/proxy. It acts just
like a switch on your network passing data like normal but inspects
the packets to make sure they are allowed to be there. Again on the
Cisco side but more expensive is your (older) PIX and (new) ASA
firewalls. If you have the money for an ASA, go for it!
What it boils down it is protection. Firewalls are there as a
layer of security and that is what you are looking for. Layers. In
a drive-by scan you want to be hidden so they don't dig deeper. In a
targeted internal or external attack you want to provide as many
road-blocks as possible.
-- Joe McShinsky
Saturday, October 22, 2011
Subscribe to:
Posts (Atom)