In our last article we looked at how to harden your perimeter with traditional firewalls and routers. In part 2 we will continue this examination of enhancing security at the edge, but higher up the stack via an application or layer 7 approach. Just as with traditional firewalls and routers, when it comes to the application layer we need to maximize the benefits available to us with solutions, without adding too much complexity to our security operations.
The systems in place that can assist with monitoring/securing your systems from application layer attacks are Next Generation Firewalls (NGFW), Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF). Here are just a few more “bumps in the road” that I’ve seen when it comes to these devices:
- Monitoring traffic at the application layer needs much love. You can’t just turn on a system like these and assume that you’ll be catching every bit of malicious traffic that comes past your interface. We’ll dig deeper into this later on, but each one of these systems needs to be tuned in order to work for your organization. Not all filters or signatures are going to be turned on by default and knowing what’s behind these security devices is going to be key (AKA Understand your network).
- Even with tuning in place you’ll still get false positives, albeit fewer, but false positives nonetheless. Management and others involved need to understand that this isn’t a silver bullet and that when properly tuned will assist with blocking malicious traffic. But the potential for false positives will always be there. What needs to be shown is the risk between having a potential false positive versus a security breach.
- These devices are always going to be in-line with your network and because of this will also be a concern as single point of failure if not configured properly. Making sure that the systems that are in place to protect your business don’t bring it down should be a priority. Having performance issues due to the signature load it’s scanning for or not having load balancing or clustering on them isn’t an option when they’re in such a delicate part of your network.
So how can you ensure that you’re getting the most out of your application layer security devices without too many false positives and outages? Here are a few quick tips to keep your network safe from application layer attacks:
- Understand what you have in the network! If you don’t know what’s on your network before purchasing one of these devices, then you’re doing it wrong. There’s a lot of ground work that needs to be taken into effect before you put out the money for one of these systems. Before you start plugging in your shiny new system, determine what you have behind it, what are users are doing on the web, the load of traffic (either this is for user traffic or for ingress production systems), etc. You need to clean your house before putting in application layer security systems. Short story short – You need to have a good baseline of your current traffic and systems in order to help determine how to tune it.
- Tune, Tune, Tune! Now that we know what systems are in place, what our traffic looks like, and what are users’ baselines might be, we can put the system in passive mode. We put a system like this in passive mode because we want to see what it would have blocked before it actually blocks it. I’ve seen some systems in large organizations that have been in passive mode for months at a time as they go through their baseline and build profiles. At the same time that you’re in passive mode it’s a good idea to start reviewing rulesets, signatures and blocking policies on your system. This helps with reducing the false positives that we mentioned above and will help you block more malicious traffic. Many times you’ll see signatures in an IPS that are available, but for whatever reason they’re not enabled. This also ties us back to knowing your environment. If you don’t have Linux in your environment it might be okay not to have these signatures enabled (you might want to in case someone’s poking around), but having the right signatures applied to your systems is crucial.
- Reduce Network Complexity! Even though these are complicated systems we still need to KISS (Keep It Simple Stupid). There’s no reason to over-complicate anything and we see that happen quite a bit in IT, especially when you’re dealing with application layer security systems. We keep coming back to this, but verifying that changes on these systems are approved and vetted before they they’re implemented is still a huge concern. Having rogue admins or hotshots trying to save the day normally end up creating bigger problems. Especially in application level filtering where the blocking might not be that obvious. (For more on network security complexity, see the latest AlgoSec report Dangers of Complexity in Network Security Environments)
So with our multiple part series complete on hardening your perimeter I hope we’ve helped bring a few things to light regarding some of the ways, headaches and complexities you might find yourself when hardening your edge. It might take some time, but in the long run it’s definitely worth it.
Subscribe to Blog
Receive notifications of new posts by email.