Enhancing Your Security at the Edge: Part 1 of 2

I think many of us can agree that the network perimeter as we’ve known it is no longer. In this two-part blog series we won’t spend time on the reasons for this (There are many and you can listen to my podcast on the Disappearing Network Perimeter to hear about these), but we will review a few methods to harden your perimeter from attack and include ways to manage and reduce the complexity of your network in the meantime.

When it comes to your network edge, the first devices to examine are your routers and firewalls. These devices are most commonly found in the network and are also most commonly an area of weakness. Here are just a few “bumps in the road” that I’ve seen when it comes to these devices:

• I’ve seen many networks that have old versions of software running on their  perimeter devices mainly because the network admins are comfortable with the version they’re running, or they don’t want to risk the downtime or issues of upgrading to a more stable and secure version. Outdated software gives attackers an opening to exploit. You could have the best policies in place to filter traffic at the edge, but if your devices aren’t up-to-date with the latest OS, you’re giving the bad guys an easy way in.

• Not having the appropriate access control on these devices is another common oversight. Who has the ability to make changes to these systems? Should these personnel be able to make them at any time? Even though access control is more of an internal issue, it’s still needed to protect your perimeter from attack.

• Don’t forget about your firewall rulesets and router ACLs! Firewalls and routers are designed to ALLOW traffic through them. I know we often think of them the other way around, especially with firewalls, but these are in place to forward traffic back into your network. While a big part of their job is to block traffic, they’re ultimately in place to ALLOW traffic into your network. Ultimately, just because a ruleset is locked down to certain ports, doesn’t make your network secure. This is where IPS/NGFW technology comes into place, but we’ll get to that in the next article.

So what can you do to ensure you’re getting the most out of your routers and firewalls? And how can you verify that these devices won’t fall out of compliance with standards and become reopened to risk? Here are some quick tips to harden your perimeter:

• Understand What’s in Your Network! Many of these issues are commonly found by scanning or knowing the systems that you own. Being able to have the software version numbers on the systems you’re running and knowing what vulnerabilities are tied to each one is a most to keep your edge secure. Since your edge is accessible on the internet I guarantee you that someone is scanning it for vulnerabilities and if it’s not you there’s reason to be concerned.

• Understand Your Security Policy! While scanning your network can help identify what’s externally available, you should also focus internally. What policies are being pushed to our routers/firewalls? Can you verify that there isn’t something insecure being sent to them in the first place? These are the questions you must ask and be able to answer to ensure a proactive method for securing your edge. Knowing who, when and why a policy is being changed on a router and firewall will help limit the vulnerabilities before they’re alive out on the internet.

• Reduce Network Complexity! Once you identify any issues with these routers/firewalls and remediate these risks, you need to start thinking about how to reduce overall complexity. Running various disparate software versions and vendors in your network is normally never a good idea (see the latest AlgoSec report Dangers of Complexity in Network Security Environments). This leads to different policies and features on your systems and is an overall concern for the security team that’s trying to protect it. When the need arrives to perform a particular action across the board, let’s say creating a rule or limiting a service on a system, the ability to do this across all your systems efficiently is almost impossible. This leaves unknown holes in your network that you thought were remediated or that can’t be. If possible keep the software versions and vendors as similar to each other as possible to eliminate some of these issues. It’s bad enough that you’re fighting sophisticated criminals; let’s keep unneeded complexity out of it.

Hardening your edge from the network level is mandatory, but as we move up the stack the ports that are open on your edge could be used against you. This is where application layer monitoring comes into play. In part 2 of this series we’ll look at ways to protect your network from application layer attacks utilizing application layer firewalls and IPS.