Skip to main content

A complete guide to network security and firewall audits

Information security professionals are fond of pointing out that networks are only as secure as their weakest point. The most pressing issue for organisations today, though, is that the increasing complexity of our networks means there are many more weak points for hackers to exploit.

Since we're all increasingly reliant on digital technology, there's a lot more valuable information out there in the electronic ether that's ripe for the picking. This has led to a vast increase in both the volume and sophistication of attacks.

As a result, it's becoming increasingly difficult for organisations to find and plug all the holes before they fall foul of a potentially damaging breach. Without a sound security strategy and the continual use of automated tools to monitor networks for vulnerabilities and orchestrate their security policies, many network managers are forever chasing their own tails, reacting to events as they occur.

The challenges of new technologies

Trends such as BYOD ('bring your own device'), cloud computing and social networking present untold challenges for network security managers, and require that organisations take a fundamentally different and more rigorous approach than might have been appropriate a decade ago. Back then, the threats were comparatively minimal – a few nasty worms and viruses that you could, by and large, deal with by firewalling the perimeter of your organisation and running up-to-date antivirus software, and 'man in the middle' attacks which you could prevent by using encryption and VPNs.

Today, employees use myriad devices, operating systems and browsers to access their applications and data. There are iOS, Android, Windows and BlackBerry smartphones and tablets; Apple, Windows and Linux laptops and desktops, plus at least 10 different types of web browser. Not only that, but all of these operating systems and browsers have multiple flavours and versions, all of which present different security vulnerabilities. And since many devices are owned by employees, they often sit completely outside corporate control.

If a single device, file or online account becomes compromised or infected, employees might subsequently infect systems inside the corporate firewall. A hacker with criminal intent doesn't even have to be particularly tech-savvy. Anyone can download easy-to-use attack tools that exploit known security holes, and there are even underground web marketplaces where attackers can buy unpublished (so-called 'zero day') vulnerabilities.

Social engineering gains primacy in the new security landscape

Often, attacks are more about psychology than technology. A hacker will phone someone pretending to be from IT support and persuade them to reveal their login and password details. They'll drop an infected USB key outside an office and wait for an employee to pick it up and insert it into a machine sitting inside the firewall. Then there are 'phishing' attacks that entice unwitting users to enter credentials into fake sites, or click on links that install viruses on their devices.

Alternatively, an attacker might 'friend' someone on a social network such as Facebook, find out some personal information about them and then use that information to masquerade as the person in question in order to persuade one of their colleagues or trusted contacts to divulge valuable information.

Such 'social engineering' has long been a key weapon in the hacker's armoury, but the popularity of social networking and the amount of personal information people reveal online have grown exponentially over the past decade, making such attacks a lot easier to carry out and, as a result, far more commonplace.

Once infected, a machine can be turned into the hacker's slave, automatically infecting and recruiting other machines on the network, seeking out potentially sensitive information and surreptitiously sending it back to a third party. Alternatively, hacked machines are commonly corralled into vast 'botnets', working together to serve their controller's nefarious purposes, such as launching 'denial of service' attacks on target websites (essentially, bombarding them with multiple, simultaneous requests for information in order to stop legitimate users accessing the site for the duration of the attack).

The locations where people use their devices present yet more challenges. Using public or guest WiFi hotspots (even encrypted ones requiring a password) can open up users to attack, for instance. A hacker logged into the same network can use freely available tools to hijack people's web browsing sessions and harvest logins and passwords if users neglect to use HTTPS encryption when accessing sites and networks via the web.

What can you do to protect yourself?

So what can those responsible for networks do to navigate through this security minefield? The temptation in the past was simply to lock down access to corporate systems by banning the use of personal devices or public WiFi, but these days few organisations have that option.

There are significant business advantages to BYOD and cloud computing – for example, they can make a business more efficient and competitive by enabling flexible and mobile working, reducing capital expenditure on IT, boosting productivity and increasing employee satisfaction. And even where a lockdown policy is in place, it can be hard to enforce. Many people will simply use personal devices and cloud services on the quiet in order to bypass what they see as overly restrictive managerial diktats that hamper their productivity.

Clearly, though, inaction isn't an option. Organisations are coming under increasing pressure to prove systems are adequately secured, not least due to the proliferation of industry-specific compliance requirements such as Sarbanes-Oxley (SOX), PCI-DSS and HIPAA. Security audits have become a way of life for those responsible for networks in financial services, healthcare, government and other sectors subject to such regulations.

But even where firms don't currently face formal compliance requirements, the threat of reputational damage and loss of customer confidence resulting from any breach of sensitive data could have a catastrophic effect on a business's bottom line. Security accreditation is likely to become more common across a lot more sectors for competitive reasons, as companies vie to prove to customers and stakeholders that they can be trusted to handle sensitive information with due care.

Basic guidelines are better than nothing

Security professionals often look down on compliance regulations and security standards because they generally weren't defined by technical security specialists and probably don't address up-to-the-minute threats. But while such standards won't necessarily protect you from the latest, most sophisticated attacks, they often give good basic guidelines that can help reduce your exposure to risk.

Although few companies will adhere to the letter of a standard unless they're forced to do so for reasons of regulatory compliance or competitive pressure to achieve certification, the best practice these standards lay out is often a good starting point for any company developing a security strategy.

That said, it's important to remember that if your process is too onerous, people are unlikely to stick to it. Organisations need to strike the right balance between minimising the risk of attack and ensuring their security requirements aren't seen by the business as a burdensome waste of time and duly ignored.

The first thing organisations should do is ensure they've hired a dedicated expert who understands the changing security landscape and can work with the business to develop an overall security policy that's appropriate for your organisation. The policy should map out, at a high level, your assets (in other words, what you want to protect) and how you plan to secure them.

This top-down approach is critical to a successful security strategy. Many organisations attempt to apply security means before they clearly understand the needs – an approach which leads to risks and waste of resources.

There are many available tools for information security enforcement and management, so many, actually, that you can easily get lost. Before implementing such tools it's important for organisations to address the basics.

The number one priority is to educate users about the fundamental dos and don'ts and create awareness, for example:

  • Never share a password
  • Never use the same one for different sites and services
  • Make sure you use HTTPS whenever possible when browsing the web on public networks
  • Don't open files from an untrusted source
  • Never insert unknown USB keys into your machine.

Most attacks aren't that technically complex – more commonly, hackers just exploit people's ignorance of basic security. Address that ignorance and you're well on the way to reducing your exposure.

Once you've covered the basics of user education and developing a global security policy, however, you'll need to put in place appropriate software tools to help you enforce that policy. One of the first lines of defence is the perimeter firewall, which screens off internal networks from the outside world. But beyond this, organisations should ensure they are segmenting their internal networks, defining different zones with different levels of security depending on the type of information traversing those networks.

A written policy

You need a written policy defining what type of data is stored in each of the zones, how trusted they are, and the type of communication permitted between them. Again, this needs to be formulated in conjunction with the business a whole. If there is no requirement for access, then connections should not be permitted.

The latest generation of firewalls don't just look at IP addresses and port numbers like a traditional firewall, they also enforce access to applications. That has more to do with securing outbound activity. For example, since users visiting Facebook could pose a risk to the organisation, you might decide employees should be blocked from doing so. But you could also allow some activities on Facebook while restricting others.

Beyond access control, firewalls serve another important role which is generating logs that can be fed into an event management system and correlated to detect intrusions and other malicious activity.

Security is often contradictory to business. The first is about process, control, and restricting privileges while the latter is about agility, flexibility and access. The trick is finding the right balance – and then maintaining it. Business needs are changing all the time, and security policies will need to be adapted to reflect that. This is especially true with firewall policies which undergo constant change to reflect evolving business needs.

The importance of a firewall audit

If an organisation is subject to external audits because of compliance requirements, an auditor will usually pick a few random firewall rules and ask the company's security manager to show these rules are justified by business requirements, that they have been approved, and that the organisation has a process in place to review them regularly (so that if, say, in six months the business no longer has any need for a particular type of access, the corresponding rule that permits that access will be removed from the firewall).

In fact, one of the biggest mistakes organisations preparing for firewall audits make is attempting to do it manually. It's not uncommon for network security managers to spend 80 per cent of their time just preparing for audits, which is a ridiculous waste of effort.

Security best practice states that you should only grant the most minimal access privileges needed by any specific device or user. If you can prove to an auditor that your policies have been formulated to do that, then you're far more likely to pass the audit. But given the complexity of today's networks and the constantly changing business requirements already outlined, this is almost impossible to do manually without making mistakes.

When network managers are continually reacting to events on a day-to-day basis, trying to prepare for the next audit and keep up with changes in the business, they're far more likely to take short cuts or miss something important. For example, it's much easier and quicker to create a rule that leaves access to a particular part of the network open than it is to create one which specifies the particular individuals and devices that actually need access.

Then there's business continuity. No one wants to inadvertently block the CEO's access or disrupt the business in a way that might threaten their job. If you break a critical application that generates revenue for the business because you've tried to tighten up security, you could get fired. So people tend to leave things more open than they should be.

If, however, you use automated systems to generate the strictest rules possible without disrupting the business, you'll be in a much better position to pass an audit. Today's tools can understand an organisation's business requirements and security policies in a language that's explicit enough to use without confusion.

They will then consolidate the two to define and implement the most appropriate firewall rules. Of course, at the end of the day someone has to define the policies and enter them somewhere. For example, if you're putting in place a new e-commerce application, at some point you'll have to define the network connectivity for that application.

But if you can leverage that information to make changes to the security policy automatically, then you can avoid the duplication of effort that's so common today and too often allows errors to creep in.

Automated security procedures

There are many other types of technology that can help to automate security in your organisation, including tools that continually scan your networks for possible vulnerabilities and points of entry; tools that monitor your networks for suspicious activity; tools that manage user identity and access; tools that examine stored information for evidence of tampering, and much more besides.

Deciding which automated security tools are appropriate for your particular business, setting them up correctly and putting in place processes to ensure they are continually in tune with your strategic business requirements is no mean feat, but it's well worth the effort.

The key is to shake off the 'headless chicken' syndrome that results from trying to secure your network manually, where you're desperately reacting to the endless stream of security issues thrown up by compliance demands and audits. Too many organisations today are failing to take the leap because they are simply too busy firefighting to step back and start acting in a more strategic manner.

When it comes to tool selection, you'll need to be able to separate the hype and scare-mongering that some suppliers employ in a bid to sell particular products from your true security needs. Only then can you hope to choose the right security automation software and vendors. And if you don't have the right expertise in-house, it may make sense to employ an independent consultant to help at this stage.

It will almost certainly take several months of hard work to put everything in place, but once it's done the task of securing your networks and staying compliant will be far easier. Security policy orchestration tools can help here, by ensuring your global policy is being implemented and adhered to.

The right approach to network security, like most other things, involves looking at it strategically from an individual business perspective. Security should be embedded into the fibre of your organisation's processes, rather than implemented ad hoc as specific problems arise. If you can do that, you can ensure security to a much better level.

Reuven Harrison is CTO and Co-Founder of Tufin. He is responsible for the company's future vision, product innovation and market strategy.

Image: Flickr (Victor1558)