Small and mid-sized businesses have come to rely on their firewalls more than ever in the quest to protect their networks from intrusions. However, firewalls also fulfill many other roles in the security realm. So much so that the term “firewall” has become almost a blanket statement for network protection.
Today’s firewalls come in many shapes and sizes. Most firewalls have taken on the moniker of security appliance or next-generation firewall (NGFW). Regardless of what they are named, firewalls offer an array of features that are designed to monitor and control inbound and outbound traffic based upon administrator-defined policies or rules.
And therein lies the most critical element of any firewall (or security appliance): the administrator’s ability to properly define policies and rules that effectively protect data.
As many administrators can attest, policy definition quickly has evolved from an art to a science. Most firewall vendors providing wizards, or templates, that effectively can protect the typical small and mid-sized business network. However, that level of automation has lulled many security professionals into a false state of security. Some believe the network, and the data housed within, is fully protected.
Properly securing a network means understanding how a firewall works and also taking in to account the multitude of threats that can impact data security. Many of these never were envisioned by the vendors at the time when wizards or predefined policies were created. What’s more, many security professionals are so focused on protecting the network, they often overlook all of the data elements that can be accessed during a hack.
Adopting industry best practices is one of only many steps to make sure your firewall is up to snuff. Those best practices have to be followed with vigilance and verification to make sure systems and data are properly protected. With that in mind, several best practices can help administrators achieve proper protection.
Many of the predefined policies and wizards err on the side of ease of use. In other words, access to certain ports, IP addresses or applications is not constrained. This creates a situation where access may be granted when it is not intended. Simply put, never use the “allow any” option when creating a new rule or policy.
Verify, record and audit every change. In many cases, administrators quickly will create a policy or rule to meet a temporary need, such as allowing access to a particular port from a particular user for a single event. If a changelog is not maintained, that temporary rule may very well become permanent, because it was forgotten. Proper documentation and change management are a must when maintaining a security product.
Rule bloat is a very common problem with many firewalls. In other words, rules are created to support particular applications. Then if the application is decommissioned, or changed, the associated rule gets forgotten and functions in perpetuity, perhaps leaving a system open to future hacks. For those administrators supporting customer-facing applications, this becomes even more critical. A customer’s data can be exposed if someone hacks into a retired application. Particularly when the application may no longer be monitored for intrusions.
Firewalls (and the underlying networks) should be audited regularly to ensure compliance and adherence to corporate rules. What’s more, security professionals should perform penetration tests to make sure an improperly defined rule or unpatched system can be exposed to a threat. That not only protects corporate data, but also any customer data that may be stored on the network.
Archived or stored data often is forgotten about when administrators are focusing on protecting active systems or data in motion. While encryption and other technologies prove effective for securing live data, stored data (or data at rest) is not always protected from a determined hacker. Policies for protecting data at rest, archival data and near-online data should be created, with the intention to isolate those data sources from external access.
Many businesses look at a firewall as something that is deployed only at the edge of the network. While that may protect systems from remote attacks, it may not prevent intrusions based upon forged credentials, advanced persistent threats (APTs) or even insider attacks. Firewalls also can be deployed internally on the network, at the department level, effectively segmenting access from outside sources. What’s more, better monitoring, customizable policies and easier auditing all prove to be benefits of partitioning network security internally with departmental firewalls.
While a firewall may be good at blocking ports, examining packets and identifying threats, it is limited in protecting from many other attacks. With that in mind, a firewall should be only one part of a security orchestration. Security administrators also should incorporate network-based intrusion-detection system (IDS), Endpoint anti-malware products, network antivirus software, email and web content-filtering software, URL filtering software and third-party authentication systems.
Protecting data from compromise or interception can be a complex task, further complicated by the fact that many businesses are responsible not only for their own data, but also for the data of their customers. That customer data can take many different forms, ranging from transaction-based information (such as credit cards) to sensitive medical data to most any data that can be classified as personal. Therein lies the real challenge. Businesses often are focused so much on protecting their own intellectual property they forget the liability associated with customer data, which they often use internally for business analytics and other processes.
One only has to look at the recent large-scale compromises experienced by numerous retailers, healthcare plans and other businesses to see the extent to which customer data has been compromised and the high costs associated with remediating the problems. A properly configured firewall can be a powerful ally when it comes to protecting your data, as well as your customers’ data.