Getting the most from a next gen firewall
28 February 2018 | 0
Are you getting the most out of your next generation firewall (NGFW)? Probably not if you take into account recent research from SafeBreach.
SafeBreach, a relative newcomer to the security arena founded in 2014, sells premise and service packages that continually run network breach simulations that help customers locate and remediate security problems.
“Many users of so-called NGFWs are perhaps not getting the full benefit of those packages because of poor configurations, legacy security methods and more”
Specifically, the company deploys software probes distributed throughout customers’ networks, and attempts to establish connections among devices and network segments just as a hacker would do in attacking your data. These breach attempts are defined by SafeBreach’s Hacker’s Playbook, a library of known attack methods that uncover network security weaknesses and how these vulnerabilities might be exploited.
The company recently discussed some of the chief issues it has found in customer test results that show many users of so-called NGFWs are perhaps not getting the full benefit of those packages because of poor configurations, legacy security methods and more.
Multitude of technologies
Typically NGFWs feature a multitude of security technologies from intrusion-detection and deep packet inspection to SSL, HTTP or TLS examination capabilities. A wide variety of vendors sell these powerful and sometimes complex NGFW packages including Cisco, Palo Alto Networks, Fortinet, Check Point, Huawei, Sophos, Juniper Networks, Barracuda Networks, WatchGuard, Sangfor, Hillstone and SonicWall.
According to SafeBreach, the power of NGFWs comes from the product’s ability to implement rich security policies based on applications and users, instead of ports and protocols.
“These policies should be easier to define than legacy firewalls. However, mistakes may occur due to human error. Additionally, errors may occur when security teams use auto-migration tools provided by vendors to migrate their existing firewall policies. Breach and attack simulation enables security teams to both optimise policies to minimise security exposure, and verify that changes are effective and don’t introduce unintended consequences,” the company said.
Chris Webber, a security strategist with SafeBreach said configuration errors are one of the most frequently occurring issues with NGFWs.
“Many users get tripped-up if they only rely on vendor-supplied defaults,” Webber said. “A next generation firewall can be like having a Swiss army knife on your network but many times its features aren’t turned on. which lets attackers gain access.”
Webber also noted that most vendors provide auto-migration tools to help new customers migrate from their legacy firewalls to NGFWs but that errors may occur during this process as vendor features and architecture can vary.
SafeBreach said it has discovered breach scenarios due to these policy gaps and errors resulting from assumptions about new NGFW vendor default policies and auto-migration challenges.
Another issue is that many users do not decrypt encrypted traffic like SSL, TLS, and SSH which can become a major blind spot for customers, Webber said. It is a common attacker tactic to hide malware, etc., in this traffic. NGFWs can terminate and inspect encrypted traffic to stop these threats but unfortunately this capability isn’t utilised as often as it should be, he said.
Indeed, Cisco defined the issue in its 2018 Cybersecurity Report saying 50% of global Web traffic was encrypted as of October 2017.
“That is a 12-point increase in volume from November 2016. One factor driving that increase is the availability of low-cost or free SSL certificates. Another is Google Chrome’s stepped-up practice of flagging unencrypted web sites that handle sensitive information, like customers’ credit card information, as ‘non-secure’,” the report said.
“Businesses are motivated to comply with Google’s HTTPS encryption requirement unless they want to risk a potentially significant drop in their Google search page rankings. As the volume of encrypted global web traffic grows, adversaries appear to be widening their embrace of encryption as a tool for concealing their [command and control] activity. Cisco threat researchers observed a more than threefold increase in encrypted network communication used by inspected malware samples over a 12-month period. Our analysis of more than 400,000 malicious binaries found that about 70% had used at least some encryption as of October 2017,” Cisco stated.
Webber pointed out another issue with NGFWs is overlooked coverage of network segmentation which is in place to increase the protection of enterprise assets.
Next-generation firewalls are deployed to segment internal networks. “It’s important to continuously validate that segmentation is actually working, as segmentation is a great security best practice to break the kill chain and stop attackers from moving deeper into the network. SafeBreach has discovered internal servers (assumed to be properly segmented) were actually communicating out to command and control servers,” the company stated.
“Customers can’t just focus security on the edge any more — those days are long behind us. Attacks can come from anywhere,” Webber said.
Another key issue is getting a handle on Internet of Things (IoT) traffic. “NGFWs are an excellent way to corral IoT traffic but customers need to set new policies and validate others to truly make it work effectively,” Webber said.
Cisco’s research took the IoT problem further, stating that “adversaries are already exploiting security weaknesses in IoT devices to gain access to systems — including industrial control systems that support critical infrastructure. IoT botnets are also growing in both size and power, and are increasingly capable of unleashing powerful attacks that could severely disrupt the Internet.”
“Attackers’ shift toward greater exploitation of the application layer indicates that this is their aim. But many security professionals aren’t aware of, or they dismiss, the threat that IoT botnets pose. Organisations keep adding IoT devices to their IT environments with little or no thought about security, or worse, take no time to assess how many IoT devices are touching their networks. In these ways, they’re making it easy for adversaries to take command of the IoT .”
IDG News Service