Firewalls Nick Barron

Transcription

1 Firewalls Nick Barron

2 About me IT admin and security controller for mid-sized MOD supplier I don t sell firewalls, I just use and shout at them DISA IT techie Have way too many computers at home

3 What s ahead How the Internet works (in one slide!) What network firewalls do (and don t do) Hardware vs software Cyber Essentials requirements Possible problems Summary

4 How the internet works Internet devices have an IP (Internet Protocol) address, which is a block of four numbers: e.g Think of this as the main office phone number Stuff running on Internet devices listens for connections on a specific numbered port, e.g. port 80 for web servers Think of this like a telephone extension Only certain ports are listening for connections Think of this like having a phone plugged in Human-readable web addresses like are converted into IP addresses by the Domain Name Service (DNS) Think of this like the phone book I ve skipped over a lot of stuff that doesn t really matter for our purposes!

5 So what is a firewall anyway? A firewall is a choke point that sits between your network and the outside world It controls what comes in, and what goes out For example you may have an internal web server that you don t want the outside world to see Must be the ONLY way in and out

6 What firewalls do Firewalls control access based on rules Allow access to specific internal services (IP addresses and ports) Apply different rules to different sources (e.g. internal machines have greater access to web server than external ones) Segregate internal networks Check for funny stuff going on (e.g. misusing ports) Log incoming and outgoing connections Network address translation Hides large internal networks behind a few external IP addresses Simplifies networking and improves security

7 Other things firewalls do Intrusion detection/prevention Look for and block attempted attacks Malware scanning Scan downloads for malware Website filtering Block malicious/non-business web sites Quality of service Share network speed fairly and prevent hogging Remote access/vpns Allow secure remote access from users outside the network But remember Complexity is the enemy of security

8 What firewalls don t do Configure themselves they don t automatically understand your network, your business requirements or your security needs Manage themselves they need regular management to amend rules, update software and review logs Monitor themselves they can highlight suspicious activity, but not all security issues Protect you from all threats won t prevent social engineering attacks, devices connected inside the secure perimeter etc

9 Hardware vs software Hardware firewall Dedicated device, hardened software and operating system Software firewall Integrated into operating system (Windows, OSX, Linux) Combined approach Defence in depth with both hardware and software firewalls

10 Cyber Essentials requirements What the specification says: Information, applications and computers within the organisation s internal networks should be protected from unauthorised access and disclosure from the internet, using boundary firewalls, internet gateways or equivalent network devices Default password should be changed Rules should be subject to approval/authorisation and documented with business need Unapproved services should be blocked by default Rules no longer required should be disabled in a timely manner Administrative interface should not be accessible from the Internet

11 Default password Most devices come with stupid default passwords Some secure passwords are easy to determine (e.g. based on hardware address) Surprising how often they are left unchanged

12 Rules must be approved Firewall is only as good as its configuration Must be Approved by an individual Documented Include explanation of business need Cheaper firewalls will require external process for this, more expensive ones have integrated change control Doesn t need to be too complex

13 Block unapproved services Default deny is the golden rule Should apply to outgoing connections too Be particularly careful about encrypted connections

14 Disable redundant rules Firewall should always be least privilege device Firewall rules should be regularly reviewed Weed out old rules Time limit rules if possible Be sure to have rollback option in case of mistakes

15 Restrict access to admin interface Administration should be restricted to access from specific machines on internal network IF remote administration required Must be properly encrypted Should be restricted to trusted remote connections Should only be enabled when required More expensive firewalls provide secure remote management Image of Amicus the security cat used with consent

16 Other stuff you should do Logs Keep as detailed logs as long as possible Secure backup/archive Defence in depth Consider multiple firewalls, but beware of complexity issues Patching Firewalls need patching too! Redundancy Single point of failure Address with redundancy, maintenance and/or spares

17 What goes wrong Operator error Easy to make mistakes with rules Reduce risk by regular external testing, periodic independent review

18 What goes wrong Vulnerabilities in firewall products Regular patching Defence in depth Use dedicated security devices, not cheap all in one routers

19 Summary Firewalls provide a wide range of security benefits Must be configured correctly and installed appropriately in the network Not a fit and forget solution Configuration control of firewalls is important Most commercially available firewalls will meet Cyber Essentials requirements (including free ones) Don t trust firewalls built in to Internet Service Provider equipment Useful links

20 Questions? (I checked on Twitter they said gratuitous cat pics are fine!) Nick Barron