Part One – Advanced Firewalling Easy Stuff
Modern UTM (unified threat management) firewalls provide far broader feature sets than mostbusinesses get around to using. These devices are simply configured for the Internet circuit (or circuits), setup with some basic remote access functionality and configured to support a wireless network or two, if they have that capability. Otherwise, they are left in their default configuration when it comes to most of the more enhanced capabilities; it is like leaving the airbags enabled but never turning on the antilock brakes, traction control or other integrated safety features of your car. After all, you’ve paid for them and they offer greatly enhanced security, so why not take advantage of them to get the most out of your “perimeter security” tools?
GEO IP Filtering
Arguably the simplest and most broadly effective option is to enable geographically targeted IP filtering in your firewall. This simply prevents packets for points of origin (countries, generally) that you identify from getting into your network. For example, it is quite possible that you don’t need to allow any traffic from Moldova, or Tuvalu or maybe even China, Russia or Iran. Normally, this includes web traffic, remote access traffic, and more. And yes, on some better firewalls, this is more finely configurable so that mail can come in but not web traffic, for example. And yes, it is true that you can obscure the point of origin of your traffic, so no, this does not always work. But it is broadly effective, works well and takes very little time to configure.
Botnet Filtering
This one is a bit like using the firewall to enforce “clean DNS” but is more capable (and more frequently updated). Setting up Botnet filtering is a quick and very low-overhead option that will immediately block large swathes of the Internet that
are owned by hackers and others that use these machines to attack others. And should you have a machine that is compromised but don’t know it this can really save your bacon by preventing your compromised machine from contacting its “Command and Control” server to tell it how to behave badly or report back the data it has gathered. Finally, Botnet Filtering can even prevent the machine infection in the first place. Enabling this is just a checkbox away and there is no reason not to do it.
Layer 7 Traffic Inspection
All data traffic is characterized as belonging to one of seven “layers” in the ISO model, starting at the physical (Layer 1) and going to the Application (Layer 7). This top or seventh layer is where your actual interaction with your software happens. And it is there that your firewall can work some of its most impressive magic. Want to allow Facebook usage but not Facebook chat? You can do it here. Worried your staff will be duped installing a “codec” to watch video that is actually an attack? You can control that here; there are some very sophisticated attacks that happen here that you can thwart this way. Managing your network traffic at Layer 7 takes a bit more planning and time to execute with your IT support team, but it is well worth your efforts.
But Really . . . Why Do I Need It?
So now that you have a broad idea of some of these tools that may already be part of your firewall’s feature set, are you still wondering why you would bother with them? Let’s review. GEO IP filtering is fast and easy to configure and rarely causes issues, especially if you filter email upstream and don’t have your email server open to the world. Just do that. The same goes for Botnet Filtering. There is no downside here at all. Just do that too, if your firewall supports it. Layer 7 inspection puts a larger load on your firewall (it has much more complicated scanning to do), so that might not fly if your firewall is underpowered for the job, or just doesn’t offer this. But if you can, using Layer 7 inspection can preserve bandwidth and protect against sophisticated attacks.
