Network Protection in Depth

Every company has some sort of network protection, whether it is as simple as a router ACL to the most advanced NGFW or UTM device on the market. The question is what a company really needs to stay ahead of the game today and that is what I am going to discuss a bit in this post.

Network security needs one thing to truly effective, and that is that the traffic must somehow pass through it. The only exception is an IDS running in monitor mode which simply sniffs network traffic and does not require it to pass the device. There are other monitoring systems that provides additional insight on to what is happening on the network as well, and most of these also rely on passive monitoring.

For Packet Filters, Next Generation Firewalls (NGFW), IPS (Intrusion Prevention System) and UTM (Unified Threat Management), these types of devices requires the traffic to pass through them to be of any value. NGFW and UTM are often compared and they do share capabilities, but the NGFW as I see it is merely an extension of the packet filtering ability of a traditional firewall, adding things like application control (http proxy as an example) and IPS functionality. UTM on the other hand tries to do everything the NGFW does, but also adds url filtering, spam blockers, antivirus and other features. Quite simply, the UTM promises to be all the security you need in a single box. Whether this is true or not all depends on your companies requirements.

Personally I do not believe that UTM or NGFW solves every security problem in your company, but it can certainly add to boost your security posture if implemented correctly or put you at serious risk if implemented incorrectly.

First and foremost, you have to know your network to implement a network security solution correctly. If you do not know your network, make sure you learn and understand it before you do anything else. Once you have the full network picture in front of you, you can start looking into all these amazing appliances on the market and see what appliance goes where in your network topology. You also need to decide on which features a network security appliance should have, what matters most to you? What are your security requirements, what do you really want to protect and from what? Simply buying a NGFW or a UTM and slam into your network with the default settings is not gonna help you very much.

You must also understand one thing, even with the most advanced NGFW ot UTM on the market today, none of them protects you at 100%. This is not a statement I make up, this is a documented fact. NSS Labs, which tests these types of devices very thoroughly, last test of NGFW’s was done in 2014, rated no device at 100% being able to block all types of attacks. This is something you need to be aware of so you do not solely rely on a NGFW or UTM to handle all security threats. The SVM (Security Value Map) from NSS Labs below show this, this is NGFW devices and not UTM devices. This graphic below belongs to NSS Labs and is available free of charge. The full report however is not free.


As you can see, no device is 100% effective. If you are wondering why Palo Alto Network rated so low, you can read the full story in the NSS Labs Blog post.

Therefor, these types of devices may add to your company security, but as I mentioned earlier, only if implemented correctly, and also extremely important, used and managed correctly. If you are to invest large sums of money into these devices, do make sure that your firewall administrators knows how to manage them and utilise the full potential. There are a lot of stories about improperly configured firewalls floating around, do not become one of those. As these devices gains more and more capabilities, training must keep up. These are not simple packet filters anymore, simply looking only at SRC, DST, Port and Protocol, nope, they can do a lot more. If you have one of these devices and still treat it like an old packet filter firewall, then you are missing something.

So, now you know you have to know your network topology very well, know what your security requirements you have, and you also need to know what capabilities and limitations these devices have, and also, you have to invest in proper training of your firewall administrators. Is that all then? No, not even by a long shot.

NGFW and UTM devices are simply nothing more than one more tool in your security toolbox and they address one specific thing, traffic coming from one network to travel on to another network. Unless you route all your traffic through them, these devices do not protect you at all from attacks within the same network segment. If they cant see the traffic, they cant do anything. This is a very common problem with many companies, they have a very hard perimeter but very soft networks on the inside. It is like an egg, a hard shell but once that is cracked, everything is accessible.

This is where additional network security resources comes in to play. If you are running a mixed IT environment, you probably have a selection of network security features available on your hosts, where I would like to focus a bit on two of them, The built-in firewall of Linux which is IP-Tables and the Windows operating system host firewall. Both of these firewalls can actually do quite a lot and they should be used to further hardening your network security posture.

IP-Tables are getting additional support for more advanced features such as security zones with the firewallD project from Fedora which is now also part of RHEL version 7. IP-Tables is stateful which means it keeps track of connections, so it can distinguish between new and existing connections and which side initiated the communication. By using IP-Tables to lock down the network presence of your Linux hosts you add to the overall network security posture. There is also an implementation of IPSEC available for Linux, the FreeS/WAN Project. By combining IP-Tables and IPSEC, you can make it a lot harder for an attacker to gain an effective foothold in your company network.

The Windows host operating system firewall on the other hand is also a great tool which should be used. Firewall rules can be managed using Group Policy (Yes I know it becomes hard to manage when the number of policies grow, so without endorsing it, take a quick look at Addlevel Isolation Management for a better view of your central Windows Firewall Management). The Windows firewall is also stateful, it has IPSEC support and it also has the ability to accept or deny connections based on who is making them. As an example, you can have a firewall rule which allows all members in a certain group use RDP to access your server network, but nobody else. If you also use IPSEC, you can enforce the use of strong authentication of both the computer making the connection as well as make sure that the user also is authenticated before allowing the connection to occur. The Windows firewall has many great features which makes me a bit surprised that so few are actually using them.

Another piece of the puzzle is to know what is going on in your network. There are several ways to do this, but what is most important is that your security team really understands how it can be used. Visualisation of network data often makes it easier to track what is happening than a log file with a lot of text in it.

After all, it is you who has the responsibility to understand how well your network is defended, so knowledge is the last key to it all. Without knowing you can not react and you can certainly not predict what you might need to do before something happens. You need to know your network, do correct network security implementations, monitor them and evaluate them, and over time, do it all over again. Security is never a onetime deal, remember that.

Of course there a lot of other things that relate to security which are not network based, but I will focus on those in another post.

Leave a Reply

Your email address will not be published. Required fields are marked *