How do you protect your perimeter when you’ve blown it to pieces?
- Published: Tuesday, 29 November 2016 10:23
Without knowing it, many organizations have repeatedly punched holes into their once-secure perimeter says Ian Kilpatrick. While security is no longer mainly about perimeter protection, it is still a vital element…
In 2016, we have been subject to near constant headlines detailing the latest big data breach or hacking scandal. Many of us probably think we have a pretty good handle on the different types of security risks that can threaten our businesses. But the reality may be a little different.
The introduction of new technologies, the growth of cloud computing and changing employee working practices have all opened the door to a raft of new security vulnerabilities: often without us realising it.
The security perimeter that was once in place no longer exists: bring your own device (BYOD); remote working or working across multiple sites, combined with an increasing reliance on cloud-based applications such as Office 365 and Salesforce; and public cloud services like Amazon AWS or Microsoft Azure, have contributed to a de-centralised environment where company data and applications can be freely accessed from almost any device, on any network.
Without knowing it, many organizations have repeatedly punched holes into their once-secure perimeter, potentially leaving themselves not only vulnerable but fully open to attack.
However, because these changes have happened over time, in some cases several years, many firms have missed, or have under-prioritized the potential risks they face. This in some instances has led to complacency regarding legacy security systems: if something has always worked, and was secure in the past why mess with it? But of course, this doesn’t take into account the new wave of attacks coming from outside the weakened perimeter.
One of a number of areas that this applies to is firewall technology, which has had to evolve to counter this next generation of security threats. The firewall that has done a perfectly good job over the past five years, may not be enough to protect your business in the future.
For example, today’s firewalls deployed across a multi-site environment should be able to offer extra features such as the ability to optimise and protect business-critical traffic from being swamped by less important network activities. So, ideally your active firewall should feature product capabilities like compression, data-deduplication or application-based prioritisation and bandwidth guarantees.
Meanwhile, businesses are facing an unprecedented wave of ransomware attacks. These generally come in through email, but you could also have computers ‘calling home’ to the command and control (C&C) server to install stealthware. With the right firewall – often described as next generation – in place, these activities can be detected and curbed.
In addition to the protection on the perimeter, you can deploy more firewalls internally to create zones. Zone-ing or segmentation makes it harder for malware and attackers to cross network boundaries.
Often it makes sense to allow for direct access to cloud applications from each branch office location, effectively moving away from the traditional centralised access approach. Allowing Internet access from branch locations may now mean deploying firewalls at these locations. The practical challenges here are threefold:
Does the deployed, ‘smaller’ firewall device at each branch provide all the security controls needed and is it still affordable? Must-haves would be next-generation firewall features such as app control, user awareness, integrated IPS, the ability to intercept SSL, and advanced threat and malware detection.
Can these devices be effectively managed from a central user interface? This is important, because it means that only one security policy needs to be defined and maintained across all the deployed firewalls, even though enforcement now takes place in multiple physical locations.
What does the associated operational cost look like? Firewall devices need to be trouble-shot, logs need to be managed, updates applied etc.
Next generation firewalls
As with all things IT, next generation firewalls (NGFW) are subject to more hype than reality. While many are fully featured, some are overmarketed versions of older technology and despite there being plenty of choice, there can be a blurring around the capabilities and performance on offer.
The customer should start by determining their needs, as they differ by organizational type, size, performance requirements, security concerns and of course compliance requirements. While there is a wide variation of prices in NGFW, often they are not matched directly to capability – which is why needs precedes budget considerations.
At the risk of creating a boring feature list, some of the elements to consider and prioritise for next generation firewalls include: application firewalling (using deep packet inspection); intrusion prevention; encrypted traffic inspection TLS/SSl; website filtering; bandwidth management; and third party identity management integration (LDAP, Radius active directory, etc.)
Other features can include antivirus, sandbox filtering, logging and auditing tools, network access control, DDoS protection and of course cloud capabilities.
Clearly different organizations will have a divergent range of needs driven by their own size, performance and security requirements. With the significant range of solutions on offer, the challenge can often be selection, particularly with the significant number of new suppliers entering the market with innovative offerings. However, these can often create more cloud than light in this area, plus there’s a real risk that if they have a genuinely innovative solution, they will be acquired by a bigger player.
Budget and management capabilities are also key elements in this equation. Given that a firewall is often deployed for considerably more than three years, it’s crucial to make the right decision to protect your environment, not only against today’s threats but also those that will be the centre of attacks in the future.
Having been around security for more than 40 years, my own suggestion is that the conservative approach of going with a well-established player that can and will continue to invest in threat defences and upgrades is often the best route.
There are many organizations that fit this bill, including Barracuda Networks, Check Point and WatchGuard Technologies to name a few. Subject to the size and potential cost of your deployment, putting one or more suppliers through a full POC (proof of concept) ahead of the decision can be a very effective investment to protect your organization in a radically changed risk environment from three years ago, and one which will continue to change at potentially an even faster rate.