Don’t Forget the Basics of Network Security (Part 1)
It seems every week you read a story about unsecured databases being exposed on the Internet, information being held for ransom, or even children’s teddy bears being attacked without their owner’s knowledge. While it’s easy getting caught up with the exciting new attacks, vulnerabilities, and acronyms, I think it’s important for everyone to remember that while network security is best done in layers, the most critical is a strong foundation.
While the majority of attacks can be mitigated through the application of the ASD “Essential Eight” (previously the Top 4), those recommendations are targeted at desktop environments because that is where the majority of attacks happen. My focus in this article is on the public facing servers and networks, as these often contain the “crown jewels” and are exposed to the entire world by nature of their functional requirements.
Creating and Testing Firewall Policies
Every firewall policy starts simple and with the best of intentions, only to grow and change until it no longer resembles its former self. Firewall management is so vital that it is the first requirement in the PCI Data Security Standard. Even if you are not required to be audited against PCI or similar standards, we can borrow some aspects to increase the security of any network.
PCI requirement 1.1.1 is “A formal process for approving and testing all network connections and changes to the firewall and router configurations”. This can be as large or formal as needed by the business, but should be performed and documented to ensure that additions and changes are justified. You also want to ensure testing is performed, usually by the data owner or change requester, so that incorrect or incomplete firewall rules don’t pile up as more small requests get layered on until the application is working. This is also aided by ensuring the change requestor does their homework and provides all address/port/protocol allowances at once, usually with assistance from the software vendor documentation.
Documenting Firewall Policy Intent
PCI requirement 1.1.6 is “Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure”. This may seem procedurally excessive, but when taken into context of PCI requirement 1.1.7 “… review firewall rule sets at least every six months” you’ll see how this can actually save you time and effort in the long run.
An example of how to implement 1.1.6 is to comment each individual line or rule of a firewall policy with a globally unique identifier and a very short description. Most firewalls allow this information to be stored within the firewall policies themselves.
- e.g. [DMZ-04125] Allow HTTP and HTTPS from Internet to web servers
You then have a separate controlled document that links the unique identifier and provides the detailed description to comply with 1.1.6. This is sometimes called a narrative, and includes descriptions for source, destination, ports/protocols, and detail of what the traffic is that is being allowed. For larger environments, you can also include the data owner or change requestor, and change tickets for the creation or modification of the individual narrative.
- e.g Title: [DMZ-04125] Allow in HTTP and HTTPS to web servers
- Data owner: Web server administrators
- Changes: CHG0002129, CHG0003188
- Description: Traffic from the public Internet is allowed to all web servers in the DMZ on HTTP (80/TCP) and HTTPS (443/TCP).
- Traffic is unencrypted on HTTP, but this does not contain sensitive information or PII as web servers are configured to always redirect to encrypted HTTPS. Traffic is encrypted on HTTPS and sometimes contains PII as some web servers request public users to enter their personal information.
Regular Firewall Policy Review
Now when it comes time to review your firewall rule sets twice yearly to comply with 1.1.7, you can run two relatively simple tasks in parallel: comparing the active firewall rules to their linked narratives, and using the narratives document to check if the traffic allowance is still required. The later can be done through interviews with the data owners, or simply distributing the individual narratives and having the data owners reply with a yes or no with comments.
When you think that some firewall rules allow anyone, from anywhere in the world, with any legitimate or malicious intent, to send arbitrary packets of data to your servers, it makes you stop and think about ensuring your firewall rules only allow the minimum ports and protocols to make your applications work. Once you have the basics of network security taken care of, you can then look at additional layers of protection provided by an array of technology acronyms like IPS, WAF, CDN, DDoS protection, and more.