Saturday, October 22, 2011

Security+ Topic - Firewalls

Lets talk firewalls. It used to be that if you had a firewall then you were basically protected against a lot of the threats that are in the world today. While yes it is true that having a firewall in place will help mitigate a lot of threats it is still not the only thing you need on your network or servers. Ok, now that the disclaimer is out of the way, lets move onto the firewall subject at hand. From a security standpoint they can help by letting you (the good guy) see different things on your network while keeping others (possibly bad people) from fingerprinting your network. Even with a wealth of types of firewalls including packet filtering, proxy firewall, and stateful inspection firewalls I would like to cover the approach of utilizing a firewall to hide behind.


Why would you want to hide? Or what do I gain from being invisible?


Think about it for a second from the mind of a malicious person. Actually, lets take the standpoint of an inside threat. As a disgruntled employee you are wanting to take down something on the network on your last day of work. You just don't give a crap anymore and you wont see any of these people after you leave your little present anyway. You, as a network administrator had previously decided to try and mitigate some risk by setting up some firewalls. Each department is blocked from other departments and each department only has access to the areas of the network that they need access to.


Sounds simple enough right? Wrong.


I have seen quite a few networks where the network administrator will simply setup the network to allow everyone access to each part of the network as it makes their job easier. Having firewalls in place throughout your INTERNAL network is just as important as having firewalls block threats from outside your network. The biggest thing that keeps people from doing this is cost. As a disclaimer, I am a big Cisco guy and so my networks are usually segregated by Cisco routers. In any vendor network there will almost always be some sort of method to control traffic. Your setup could be a router on a stick or a 50+ internal router setup but it all boils down to the firewall rules that you put into place.


I will cover a couple brief methods of firewalls so I don't leave you hanging in the wind. The previously mentioned one was with Cisco gear. ACL's can work wonders. These little things on gear you already have can be your first line of defense for keeping people in Customer Support from getting to the Accounting computers. Another option is the use of transparent Linux firewall/proxy. It acts just like a switch on your network passing data like normal but inspects the packets to make sure they are allowed to be there. Again on the Cisco side but more expensive is your (older) PIX and (new) ASA firewalls. If you have the money for an ASA, go for it!


What it boils down it is protection. Firewalls are there as a layer of security and that is what you are looking for. Layers. In a drive-by scan you want to be hidden so they don't dig deeper. In a targeted internal or external attack you want to provide as many road-blocks as possible.

-- Joe McShinsky