3 min read

5 Things to Consider When Securing Your Network

October 18, 2015

Securing your network

The edge of your network, where North - South traffic passes between your internal LAN and the internet is probably the most important area when securing your network.

You probably already have a firewall that is hopefully able to do some of the functionality I'm about to talk about but unless you are able to say with confidence that your current firewall solution does all the below then I can guarantee that your network is letting in threats and you have possibly already been compromised. Let's also not forget that the firewall is also there to stop unwanted outgoing traffic and to assist with you trying to keep your company's intellectual property secure.

First up is Visibility. Your firewall needs to be able to log data to a centralised logging engine that is able to consolidate those logs into an easily digestible view and alert you to anything that needs further investigation. Those logs need to include critical bits of information like; what are the source and destination IP addresses, what ports are involved, what applications, who was doing it, and be able to link to other log entries that show antivirus and antispyware signatures that have been triggered. There is nothing worse than having to hunt through multiple different logs trying to piece together what has gone on.

Secondly your firewall needs to support Layer 7 application visibility and control, most solutions support the ability to see applications on ports 25 and 80, this is no longer good enough. Any Layer 7 functionality needs to work on all ports and protocols. Applications and more importantly Advanced Persistent Threats (APTs) are able to change ports, most web traffic now uses encryption and is therefore on port 443 by default, this makes any solution that only works on limited ports next to useless.

The firewall must have a built in IPS engine that is able to assess traffic as it passes through the firewall and block anything that is known to be bad automatically, this is a given nowadays on all enterprise grade firewalls but can yours really do it? Does turning it on cause the firewalls throughput performance to drop considerably?

Antivirus and AntiSpyware is the 4th item on the list. The firewall should have the ability to scan both inbound and outbound traffic for known viruses and be able to take action against them. The AV and AS signature databases that power this functionality need to be actively maintained and updated by the firewalls manufacturers. Updates should be provided frequently and should be able to be automatically installed on the firewall without you having to tell it to do so and the firewall should certainly not have to be rebooted to install updated signatures.

The last and possibly most important item on the list is what do you do with the unknown?

Firewalls have been traditionally very good at dealing with the known good and the known bad, but what about the latest zero day threat or some new application that has just been released and isn't yet detected. The firewall must have the ability to take the unknown and execute it in a sandboxing environment to decide whether the unknown is good or bad. And if it's bad it must be able to turn around relevant signatures in a short space of time to ensure your firewall starts detecting and blocking it.

Most infections happen within the first 24 hours of a new virus appearing in the wild, your solution needs to be able to tell you whether that file that the MD has just downloaded is some new zero day threat ideally within 15 minutes to ensure that the infection spread is minimised and allow you to react quickly to it. The detection of the unknown needs to function on all ports and protocols all the time, and it must support a wide range of different file types, executable files and DLL files are a starting point but more and more threats are coming in via other forms like ZIP files, PDF documents, office documents and links embedded in emails. The sandboxing environment should also not be a standalone environment it should have the ability to share information with other customers who have the same make of firewall as you allowing everyone to benefit from the signatures that it produces.

I shall finish by saying that no firewall solution is going to stop a determined attacker, it is about making the cost of attacking you financially unviable for the attacker, and therefore encouraging the attacker to look elsewhere. If the worst should happen and you do suffer from an attack then it is important that you have the visibility to determine if that attack succeeded and to allow you to react quickly to it.

Network health check

Topics: Security

Written by Nick Dorling @ LAN3