The firewall -- has the "magic" box lost its mojo?
May 3, 2016
Don't Ignore the Fence
March 17, 2015
Imagine this - the White House, considered one of the best protected facilities in the world (recent events not withstanding), decides that they have done a great job of protecting the inside, with cameras, sensors, sentries, weapons on the roof, etc. One day, the members of the media show up for their obligatory live shots in front of 1600 Pennsylvania Avenue, only to discover that big iron fence is gone.
The Secret Service has experienced some recent lapses, but I assure you they are smart enough never to remove the fence! And yet, some elements of the infosec world are headed in that direction, by reducing the emphasis on the security perimeter.
For many years, the security perimeter has been the mainstay of network security. A strong firewall, intrusion prevention, and related systems kept intruders out, and the inside network safe. Then, we entered a new world, one in which determined hackers, now with a strong profit motive, or bad actors working on behalf of foreign powers, turned our strong perimeters into Swiss cheese.
The infosec world was a bit slow to respond to this change, but today, if you listen to many of the thought leaders, the perimeter is dead, and the focus has shifted to inside the network. There are many names for this. I have referred to the new inside focus as "detective forensics". An article from Fox Business I tweeted yesterday used the term "armoring the data". The term "breach detection" is used for a new class of products used to detect a breach before it has gone too far.
Please understand, I have no issue with any of these. They are all wonderful approaches to a growing problem. That being said, these measures need to be in addition to a strong perimeter, NOT in place of it. A strong perimeter defense still fills an important role in today's information security planning.
A recent article in Security Week breaks intrusion threats down into three categories:
Generic - Opportunistic, non-targeted threats. These are the drive bys of the hacker world. Hackers are looking to break into something, and happen upon your network.
Targeted - These attacks are aimed directly at you for one reason or another. Hackers want something they think you have, and they are after you to get it.
Invasive - These attacks are the in laws of the hacking world. They come to stay awhile. They want not only what you have today, but what they think you will have next month. The work to hide the footprints indicating their presence.
After the Sony and Target breaches, the infosec world began to change direction really quickly, with focus shifting to invasive and targeted threats. That has led to the de-emphasis on the perimeter. Since that is now considered impossible to maintain perfetly, they no longer focus on it. That in my mind is a big mistake.
I have not found any statistics providing a breakdown of generic, targeted, and invasive attacks. If we had them, I am confident that they would vary from week to week, and from company to company. The well known companies like Anthem are much more likely to be subject to targeted or invasive attacks. An SMB on the other hand seems much more likely to be subject to a generic attack.
For generic, and in some cases targeted attacks, I would respectfully suggest that the perimeter is still king. A hacker who stumbles on your network is not likely to know anything about you, and probably will not invest much time and effort in getting through the perimeter. He/she will probe for obvious weaknesses, and then move on to the next network. Frankly, the SMB world does such a bad job of securing the perimeter, they don't have to look far to find a good opening.
A good firewall, maintained and monitored, is still likely to send the generic hacker on to the next network. I would suggest however that the same firewall still plays a major role in addressing targeted and invasive attacks. Referring back my White House analogy, I am sure their fence is armed with all sorts of sensors that let the Secret Service know that someone is approaching. The logging of suspicious activity and anomalies by a firewall provide similar insight into what is happening to the infosec perimeter. The main problem however is that most firewall owners pay no attention to log information, at least until after an event occurs. Matthew 24:43 says "But Understand this: If the owner of the house had known at what time of night the thief was coming, he would have kept watch, and would not have let his house be broken into." We do have some chance of knowing that an attack is coming, if we would only pay attention to it.
Some years ago, I setup the security measures for a small consumer-facing web application, and I monitored logs religiously. I would constantly see attempts by IP addresses in China attempting to use known exploits to get through. My fence kept them out, and monitoring the logs allowed me to block the addresses to prevent them from persisting.
While it is true that new focus on breach detection can be helpful with basic attacks, this is not always true. As Rafal Los at Security Week puts is: "But advanced security tools should be effective against less advanced attacks and attackers — right? While this is theoretically true, I think that when the focus is on the boogeyman, the less advanced threats tend to be left to someone else."
Bottom line - leave your fence up, maintain it, monitor it, and guard it. If you do the job there, you may well eliminate most of your problems before they start.