Fending off cyber attacks with firewall security
Last week ZDNet reported a data breach resulting in the theft of personal data for 10.6 million guests at MGM Resorts. It is reported that the attack was a part of the Chinese government’s targeting of healthcare, high-tech, travel and telecommunications sectors as part of their ongoing espionage campaigns.
In any network attack, your firewall is your first line of defense. The firewall monitors all traffic coming in and out of a network and can block, allow, throttle or flag traffic based on the established policies. Maintaining a firewall to keep up with all the latest threats, can be a daunting task. And mistakes can be costly. Gartner projects that 99% of firewall breaches occur from misconfigurations. As firewalls evolve to better protect our networks and data, the optimal configurations are also becoming increasingly complex. Today’s firewall administrator has to account for user-level policies, deep packet policies, intrusion protection, DNS firewalling and sandboxing along with all the traditional port and protocol-based configurations. Here we will look at four of those latest advancements in firewall security which can be the difference in a secure versus insecure network when configured properly.
Deep Packet Inspection
While governments and Internet Service Providers use Deep Packet Inspection (DPI) to spy on citizens and customers, enterprises commonly use DPI to prevent viruses, worms, spyware and internal data leaks. Traditionally a firewall would monitor traffic coming into and leaving a network and allow or block that traffic based on its static policies. Today with laptops, cellphones, and bring your own device policies, data doesn’t have to pass through a firewall to enter a network — it can come through the front office door. DPI allows inspecting traffic to find threats from within the network as well as threats coming from outside. DPI also allows the firewall to play a part in anti-virus protection adding one more level of monitoring
Intrusion Prevention
Next-Generation Firewalls allow for establishing intrusion prevention systems to monitor for policy violations and malicious activity. Detected intrusion attempts are forwarded to the security team for event management. In order to identify malicious traffic patterns, intrusion detection systems benefit from libraries of crowdsourced patterns. These libraries of malicious traffic patterns are generally provided by the OEM or user community making it easier to stay current on the latest threats.
DNS Firewalling
Today’s firewalls also allow for effective DNS-based protection. Phishing attacks generally rely on DNS spoofing which tricks a user into thinking they are accessing a known and safe site instead of the secure site they thought they were visiting. DNS firewalling, such as DNSWatch from WatchGuard, allows for intercepting these attacks and redirecting users to a safe landing page. Malicious DNS addresses are also automatically blocked and users are provided phishing education to heighten end-user awareness about these types of attacks.
Sandboxing
You can think of sandboxing as a padded room to temporarily place someone who may pose as a threat. The padded room (or sandbox) allows for observation in a safe environment. In the same way, a firewall can sandbox potential threats in an isolated environment where a suspected file can be executed and monitored for behavior. The sandbox eliminates the threat to the larger network until the file is deemed benign. The sandbox can even be used as a quarantine holding traffic for a specified time before allowing or blocking it.
A firewall is your first line of defense against attacks, but it is also not your only preventative measure. Any comprehensive security policy begins with establishing roles and responsibilities within your security team. Whether you are looking for infrastructure security or cloud-based security solutions we can help find a solution for you.