Advanced Firewalling Part Two – The Harder Stuff
Once you’ve done the easy stuff, like GEO IP filtering, Botnet filtering and setup Layer7 traffic handling (if your firewall has the capability to do so), the really good stuff is next. First on the list, assuming your firewall can do it, comes SSL DPI traffic scanning (scanning of SSL encrypted traffic), which has become very important of late. Next up, and speaking of SSL, did you know that it is possible on most firewall/SSLVPN client connections to tunnel all of your traffic back through the office? Why would I do this you ask? How about to secure your connections when you have to use open wireless access points on travel? Finally, we take a look at why you want to setup alerting, logging and reporting on the firewall or with third party tools to keep you in the know.
Just a few years ago, the only SSL traffic you encountered on the Internet was the secured browser session you entered into to use a credit card, or interact with a bank. Nowadays, encrypted sessions are nearly ubiquitous. For example, every OneDrive or Dropbox session is encrypted. Each time an employee retrieves something from a sharing site over an encrypted connection, you are exposed. Since your firewall is your first line of defense against malware, this is a big deal. Setting up DPI SSL scanning adds a load on your firewall (and might require an upgrade to a more capable one) and it is tricky and time consuming to implement, requiring knowledge of SSL certificates, GPOs and browser operations, it plugs this very large hole and is rapidly becoming crucial to your security.
Tunneling Back Traffic
Wise road warriors prefer a wired Internet connection to a wireless one, but in today’s world, that is harder and harder to find, even in your hotel room, much less the airport or Starbucks. So how do we deal with the ubiquitous open and unencrypted Internet access points? One work around is to fire up your VPN, RDP to your desktop and use it to get your Internet work done. That puts all your traffic in a secure and encrypted tunnel, but assumes you have a desktop to RDP into and is cumbersome. Most firewalls allow their SSLVPN clients to be setup to “tunnel all” traffic so that all your Internet access goes through the tunnel and out your work’s Internet access. This is fast and easy and provides you that security that an open WiFi connection simply cannot.
Alerting and Reporting
The unexamined life is not worth living. Socrates said that at least 2,000 years before Facebook, though it is unlikely he foresaw 2.7M photos of breakfast burritos being posted daily. Nonetheless, one of the most important and most overlooked capabilities of your firewalls is the monitoring andreporting feature set. Simply setting up alerts of certain types of pernicious or persistent threats canbe a game changer. Some firewalls require an additional feature to be enabled (that is, paid for) to create useful reports, but nearly any will create large (maybe too large) streams of data that can beshunted to external syslog server software that can collect and manage this data and at that point, with some expertise, you can employ free tools to analyze that data.
But Really . . . Why Do I Need It?
So now that you have an idea about the harder stuff, why do it? The only way to scan encrypted traffic is through SSL DPI. Without that you are essentially barricading the front door and leaving a screen door on the back door. Tunneling Internet traffic over your SSL VPN connection is fast, easy and provides you an immediate layer of security you can’t get otherwise on open wireless connections. And while reporting and alerting takes some effort or cost to setup and creates lots of data to analyze, without it you end up with a fantastic video surveillance system but no screens to see the recorded video on. And it can be all there is between you and a persistent attack that will eventually breach any defense and so is highly recommended.
Part One – Advanced Firewalling Easy Stuff
Modern UTM (unified threat management) firewalls provide far broader feature sets than mostbusinesses get around to using. These devices are simply configured for the Internet circuit (or circuits), setup with some basic remote access functionality and configured to support a wireless network or two, if they have that capability. Otherwise, they are left in their default configuration when it comes to most of the more enhanced capabilities; it is like leaving the airbags enabled but never turning on the antilock brakes, traction control or other integrated safety features of your car. After all, you’ve paid for them and they offer greatly enhanced security, so why not take advantage of them to get the most out of your “perimeter security” tools?
GEO IP Filtering
Arguably the simplest and most broadly effective option is to enable geographically targeted IP filtering in your firewall. This simply prevents packets for points of origin (countries, generally) that you identify from getting into your network. For example, it is quite possible that you don’t need to allow any traffic from Moldova, or Tuvalu or maybe even China, Russia or Iran. Normally, this includes web traffic, remote access traffic, and more. And yes, on some better firewalls, this is more finely configurable so that mail can come in but not web traffic, for example. And yes, it is true that you can obscure the point of origin of your traffic, so no, this does not always work. But it is broadly effective, works well and takes very little time to configure.
This one is a bit like using the firewall to enforce “clean DNS” but is more capable (and more frequently updated). Setting up Botnet filtering is a quick and very low-overhead option that will immediately block large swathes of the Internet that
are owned by hackers and others that use these machines to attack others. And should you have a machine that is compromised but don’t know it this can really save your bacon by preventing your compromised machine from contacting its “Command and Control” server to tell it how to behave badly or report back the data it has gathered. Finally, Botnet Filtering can even prevent the machine infection in the first place. Enabling this is just a checkbox away and there is no reason not to do it.
Layer 7 Traffic Inspection
All data traffic is characterized as belonging to one of seven “layers” in the ISO model, starting at the physical (Layer 1) and going to the Application (Layer 7). This top or seventh layer is where your actual interaction with your software happens. And it is there that your firewall can work some of its most impressive magic. Want to allow Facebook usage but not Facebook chat? You can do it here. Worried your staff will be duped installing a “codec” to watch video that is actually an attack? You can control that here; there are some very sophisticated attacks that happen here that you can thwart this way. Managing your network traffic at Layer 7 takes a bit more planning and time to execute with your IT support team, but it is well worth your efforts.
But Really . . . Why Do I Need It?
So now that you have a broad idea of some of these tools that may already be part of your firewall’s feature set, are you still wondering why you would bother with them? Let’s review. GEO IP filtering is fast and easy to configure and rarely causes issues, especially if you filter email upstream and don’t have your email server open to the world. Just do that. The same goes for Botnet Filtering. There is no downside here at all. Just do that too, if your firewall supports it. Layer 7 inspection puts a larger load on your firewall (it has much more complicated scanning to do), so that might not fly if your firewall is underpowered for the job, or just doesn’t offer this. But if you can, using Layer 7 inspection can preserve bandwidth and protect against sophisticated attacks.
Two Factor Authentication (TFA) – Beyond Passwords
We all know that good passwords are complicated, should be different for every use and change frequently. We also know how hard that is to implement, enforce and track. So what do we do about this? Two factor authentication (TFA), which combines your username and password with something you have (tokens) and something you are (biometrics) comes to the rescue. One time passwords (OTP), which can be implemented as two factor authentication, are a very good, low-cost option that might be part of your existing firewall already in place. Let’s take a closer look.
Something You Have (Tokens)
The most common type of two-factor authentication combines your username and password with a “token” device that provides a six- or eight-digit alpha or alphanumeric code to provide you access. These codes change frequently (typically every minute), making them quite secure. You may already use these to access banking or brokerage account(s), both very common use scenarios. Adding token-based TFA to protect remote access is relatively easy and cheap to do and is very secure. The tokens are reliable but you have to remember to have them with you!
Something You Are (Biometrics)
Biometrics technology has migrated from the movies, to everyday use over the past decade. Biometrics examples include fingerprint sensors (laptops and Smartphones usually), retinal scanners (most often used to protect physical access to controlled areas) and facial recognition (Smartphones again). Biometric technology tends to be harder and more expensive to implement, and false negatives are still a bit of a problem. Costs to implement can also be higher than token-based two factor authentication, but you cannot forget to carry your finger with you!
On the Cheap – One Time Passwords
One Time Passwords (OTP) also known as Smartphone two factor authentication is very simple and straightforward. You try to access your network remotely and in addition to your username/password combination you are immediately sent (by email or text) a single-use password that you must add to your standard credentials in order to gain access. OTPs are most commonly used to protect remote connections, but do have other uses as well. The best news of all is that OTP is built into the best new Firewalls and can be implemented in less than an hour!
But Really . . . Why Do I Need It?
So now that you understand your options, you may still wonder . . . why do I need two-factor authentication? Let’s review three things. First, passwords are very hard to make secure, keep secure and manage. Second, your employees will almost always find a way around your security policies, including the sharing of passwords, using overly simple passwords, or simply by writing passwords on notes attached to their monitors. With two factor authentication you add that extra layer of security, so that even with a username/password, without that second factor (token or biometrics) you are not getting in.
Finally, take a moment to consider the following scenario. You have to lay off someone one day, someone pretty computer savvy. They leave and you shut down their user account, but they know how things work there and they know other user passwords. If you are not using two-factor authentication for that user,you have to change EVERY password in the company to lock that person out. Two factor authentication not only adds a layer of protection to your network for your staff, it provides you the control you need to quickly and effectively lock things down if that staff changes.
Let’s talk about password security. There are truly bad passwords, like your username, or “password.” There are better passwords, like “Mike04!” for example. And there really good passwords like #94hwer0n, but they often end up taped to your monitor or under the keyboard. Not so good. So how should we handle password security in our world of hackers and hundreds of passwords? There are three elements of better passwords; complexity, length and randomness. And there is a “fourth dimension” as well, that of time. No matter how good that password is, you do need to change it over time.
Complexity refers to how hard it would be to guess your password. It is generally accepted that “real” or dictionary words are easier to guess than those that do not appear in a dictionary (or listing of proper names). Passwords of greater complexity also involve the use of punctuation marks, symbols and numbers, that is, any character that is not alphabetic. Finally, password complexity also increases with password length, which we’ll address next.
This is pretty simple, and the longer the password the better, with some caveats. You should always aim for passwords of at least seven characters and as many as 15 here. (There will be more on longer “passphrases” later). Very short passwords are obviously easier to guess and truly long passwords take you past the point of diminishing returns, as complex 15-character passwords are still quite difficult to attack by the common brute force or guessing methods today.
The third aspect of passwords is their “randomness” or uniqueness. Patterns, proper nouns, or evenpasswords generated by overly simple algorithms (such as your birth date and the name of your pet) are becoming too easy to guess. Much better for password security are passwords that are based on words that do not appear in the dictionary, interspersed with punctuation and numbers. And even better are long, truly random passwords generated by software that nobody can remember.
Three Tricks for Good Password Security
Three easy ways to create strong, memorable passwords involve character replacement, mnemonics or random generation. Character replacement is as simple as toggling Caps Lock while you type your password, or maybe just for the last or first three characters. Using mnemonics involves creating a phrase, and then using the first letter of each word to create a password. Of course, the most secure passwords are truly random ones created by and managed by password software.
The Best Compromise(s)
You need to determine how secure any given password must be. The one that you use to login to Facebook probably doesn’t need to be as secure as the one you use for your brokerage account. So do a bit of triage and then come up with simple, complex and fiendish passwords as needed.
– For simple needs, a mix of numbers, letters, and punctuation will suffice.
– For more secure needs, a long nonsense passphrase w/some substation might work.
– At the high end, use good random password/phrase generator and management software.
Want a fun test? Try the password difficulty calculator at https://howsecureismypassword.net/. It will give you a quick idea of how strong your password security is.
Of course, there is still quite a bit to wrestle with here on password security, but if this were actually easy, you wouldn’t need to read about it here. So maybe you’re asking yourself if there is a better way, something stronger but simpler than passwords. Stay tuned for our next topic – multi factor authentication.
For network security, we are going to assume you’ve got a modern unified threat management (UTM) firewall doing deep packet inspection, assume you’ve got signature-based antivirus running on your servers, desktops and laptops, and assume you’ve got a comprehensive, managed patching system in place that covers both Microsoft and third-party patches for servers, desktops and laptops. You might even be going that extra mile and training your users!
But there is so much more to truly securing your network, your systems and your data. Network Security is neither a product, nor a service, but an ongoing process. And remember, without proper and regular user training the most secure network is like a submarine with a screen door. Say it after me: security is products, services and procedures. This is the first article in a series; we’ll drilldown on each of these “twelve steps” to network security in the weeks following:
1) Better Passwords. This may seem “done to death” but the reality is that most passwords are still too simple to guess or crack w/software tools, are used too broadly across devices or sites and are changed far too infrequently. Every year the list of top ten passwords still include such gems as “password” and “12345” so this is a pretty low bar to clear. Getting serious about passwords is the quickest step you can take to improving security.
2) Two Factor Authentication (TFA). This is the next step beyond passwords. TFA is usually described as something you know plus something you are (biometrics) or something you know plus something you have (token based). These solutions can be as simple as issuing “one-time passwords” by text or email upon every remote connection. Many UTM Firewalls and/or SSL VPN remote access devices have these capabilities built in.
3) UTM Firewalls – The Simple Stuff. Very few businesses get the most out of their UTM firewalls. For example, many UTMs can do “geo IP filtering” allowing you to block packets originating from any country. Do you really need traffic from Belarus or Moldova? You can also filter your traffic at “Layer 7” on some, so you can block such potentially harmful and
bandwidth wasting traffic as chat streams, software downloads and more.
4) UTM Firewalls – The Harder Stuff. Firewalls do not scan encrypted traffic by default. This means every connection to Dropbox, OneDrive, or any other SSL site bypasses scanning! The answer is DPI SSL, a feature of better UTM firewalls. Separately, you can protect your road warriors on “open” wireless connections by tunneling traffic from your remote users through your Internet connection. This is also provided by better UTMs.
5) Advanced Wireless. You can manage wireless access points and add a layer of security to your wireless implementations. You can force encryption of the entire data stream, scan for “rogue” access points or even shut them down completely. You can setup “wireless guest services” that control who can connect and when. You can have multiple “virtual SSIDs” so that some users get out to the Internet only, while some have network access, and more.
6) Network Access Control and Proximity. Let’s touch on managing access to your network internally. Yes, you’ve got credential authentication (username and password) protection in place. Did you know that you have built-in MAC address filtering in the DHCP Manager of Windows 2012/R2? And you HIPAA folks, did you know you can set a machine to automatically log out a user that moves away from their machine (think RFID)?
7) Outsourced Email Filtering. Everybody knows spam is more than an annoyance – it is a prominent source of phishing and other “social engineering” attacks. So email filtering is a must; and by moving it to the right external vendor you gain the advantage of being able to lock your email server down to just one range of receiving addresses, better management of
your bandwidth and an email spooling location should your email server be offline.
8) Clean DNS & Web Filtering. Just by using one of the “clean DNS” sites around the web as your primary and secondary external DNS references you can protect yourself against an ever-growing list of sites that can attack you simply by visiting the site – the “click-by” attack. Web filtering is usually done in the firewall, but did you know you can also extend that to devices not behind the firewall, such as laptops in the field with the right softaware?
9) Data Encryption At Rest. This refers to encrypting your data in place, on your server, your desktops and laptops, on your phones and your backups. This can be done at the
hardware level on the server (right in the RAID controller and on the drives), at the OS level for your desktops, laptops and portables, and in software for tape or disc backups. This protects you both against physical site thefts and loss of data on portable devices.
10) Data Encryption In Motion. This refers to data that moves outside the perimeter of your building(s), on laptops, tablets and phones. We are also talking about the “streaming” of data over the Internet that you experience whenever someone connects remotely, when you upload data to other locations and when your automated off-site backup (you do have that,right?) happens. For the most secure sites, this includes all wireless (WiFi) traffic as well.
11) Data Security at Rest. This refers to your ability to backup and keep safe your site’s live data, and its configuration data (server configuration, user and site setup, device config and more. Nearly everyone believes they have backup handled, but the reality is very few do. Having effective backup is complicated and few businesses understand that real backup is about data, server imaging, off-site storage, business continuity, disaster recovery and more.
12) Data Security In Motion. This refers to data that travels with you, data that gets created outside your network and data moving in and out of your network through that leaky mechanism known as the Internet. Scanning encrypted data is tough and cumbersome for most UTM Firewalls, but absolutely necessary. And finding a way to enforce scans on machines that move outside the network is crucial as well.
Summing it All Up
Obviously, securing your business is complicated. There is always a trade-off between ease of
use and time, effort and expense. There are no secure networks any more than there are safe drivers. But there are certainly more secure networks. It all comes down to figuring out how far you want to take your network security efforts and building the right products and procedures around that decision. Call for Net Sciences and let us guide you through the network security maze, making the right and most cost effective decisions to protect your network, your data, and your business!
Network Backup – What are the three most important things I need to do?
To be truly effective at network backup, you must cover all three “vectors”. These three areas are first, Classic Data Backup (documents, email, databases, etc.), second, Imaging or Snapshots of physical or virtual machines, and finally, an Off-Site component in order to get you started on the road to business continuity and disaster recovery.
Classic Data Backup
This is the “classic” backup that many of you actually are performing today for your network backups. Whether you have automated backups to tape through software like Backup Exec, a Windows Backup job to USB drive, something running to an off-site location or perhaps even a combination of the above, you are probably backing up at least some of your data. Are your backups “granular” enough to restore just one email message? Can you roll back to earlier versions of your files? Do you have ability to backup data from one server to the tape or hard drive(s) connected to your primary server? Do you have the time (backup windows) to get it all done? Even the simple stuff can be complex.
Imaging or Snapshots
So now let’s talk about getting backups of the actual installation and configuration of your network. That means your Windows Servers and Active Directory, Exchange, SQL, and other servers. This includes the configuration of your network (users, groups, shares, permissions), and other site specific details that make your network yours. There are many further details to consider as well. Do you have frequent enough image backups? Where are these backups located; if they are only on the drive of the server backed up, what happens if it is gone? And will they restore to “dissimilar” hardware, so that they will work on the new server you will need to buy after that fire?
Let’s assume you have a complete data backup and configuration or imaging solution in place and that you can count on it when you need. So what happens when the entire server and its connected USB backup drive has been stolen? Or if the building has been soaked by the sprinkler system that put out the server room fire? It all comes down to off-site data, be it on tapes, drives or that Internet based remote backup you do. Tapes are easy in this sense, as they can simply be transported on a regular schedule off-site. Disc and other strategies generally require you to replicate data off-site to another site or to an Internet based service.
Of course, you have to have some sort of device as a backup “target” to start. Tape is still a good option for small business, despite what you may have heard. Tape is faster than most disc-based options (up to 250G/hour) and cheaper ($50/Terabyte) than most other options.
Being removable and tough, tapes are easier to transport off-site as well. Backing up to disc does offer some nice advantages. Hard drives are cheaper than tape drives, though NAS (network attached storage) can be pricey. Disc backup is easier and faster to use once you actually have to perform that critical restore. And finally, disc backup provides some features (data deduplication, for example) that tape does not.
Three Needs, One Strategy
There is no one answer to all of these questions, but with a little help, you can stitch together a full solution. Symantec’s Backup Exec SBS Suite includes the ability to execute data backup to disc or tape, including Exchange, SQL, and Sharepoint. Also included in thepackage is the imaging capability to capture the configuration of your network and servers with imaging and recovery to different server hardware.
Complemented with an off-site strategy, this gives you the basic tools you need. But tools alone are not a plan. If you are far enough along to be considering such things as communicating with employees in the case of disaster, or locating a secondary business site,you need a plan for that. Business Continuity and Disaster recovery planning comprises much more than just a backup strategy.
Details and More
Is your data encrypted or password protected on the media you backup to in case of loss or theft? How often do you do your imaging and can you use it to bring up different servers if you lose your existing ones? How about restores; are you testing them? How do you manage your backup media, secure it and make sure it is available when you need it? And how do you monitor all of these backups to make sure they get done?
Over the past few years, newer options such as continuous data protection (CDP) and business disaster recovery (BDR) devices have arrived as well. CDP provides continuous backups of your data right as it changes; no more scheduled backups. BDR devices can virtualize your existing server(s) and keep you going in the event of a loss of one or more of your servers. These BDR devices can reside at your site or be hosted off-site as well.
Planning and executing a truly effective and comprehensive backup strategy is just one of the many services that Net Sciences provides our customers. We can help you make sure that you have all the bases covered and work with you to design and refine your disaster recovery planning. Meet with us and discuss your backup, business continuity and disaster recovery strategy. At Net Sciences, we watch over your data so that you don’t have to.
I speak with business owners all the time that say things like, “but my data isn’t valuable to anyone.” This usually leads me to ask them whether they think that vandals that “key” cars do it because they need the paint. The bottom line is that your network is always under attack, whether it be targeted or simple Internet vandalism. The answer is to implement a “layered” defense scheme at the perimeter, server(s) and desktop. Read More
Securing your home wireless network is easier than ever before. Improving the security of your home or office wireless network is a relatively painless three-step process. You will learn to change the SSID of your wireless device (alter), use MAC address lock down (filter) and enable WPA2 encryption to (protect) your connection. This entire process can be accomplished in 15 minutes. Read More