Introduction
Modern UTM (unified threat management) firewalls provide far broader feature sets than most
businesses get around to using. These devices are simply configured for the Internet circuit (or
circuits), setup with some basic remote access functionality and configured to support a wireless
network or two, if they have that capability. Otherwise they remain in default configuration when it
comes to most of the more enhanced capabilities; it is like leaving the airbags enabled but never
turning on the antilock brakes, traction control or other integrated safety features of your car. After
all, you’ve paid for them and they offer greatly enhanced security, so why not take advantage of
them to get the most out of your “perimeter security” tools?
GEO IP Filtering
Arguably the simplest and most broadly effective option is to enable geographically targeted IP
filtering in your firewall. This simply prevents packets for points of origin (countries, generally) that
you identify from getting into your network. For example, it is quite possible that you don’t need to
allow any traffic from Moldova, or Tuvalu or maybe even China, Russia or Iran. Normally, this
includes web traffic, remote access traffic, and more. And yes, on some better firewalls, this is more
finely configurable so that mail can come in but not web traffic, for example. And yes, it is true that
you can obscure the point of origin of your traffic, so this does not always work. But it is broadly
effective, works well and takes very little time to configure.
Botnet Filtering
This one is a bit like using the firewall to enforce “clean DNS” but is more capable (and more
frequently updated). Setting up Botnet filtering is a quick and very low-overhead option that will
immediately block large swathes of the Internet that are owned by hackers and others that use these
machines to attack others. And should you have a machine that is compromised but don’t know it
this can really save your bacon by preventing your compromised machine from contacting its
“Command and Control” server to tell it how to behave badly or report back the data it has
gathered. Finally, Botnet Filtering can even prevent the machine infection in the first place.
Enabling this is just a checkbox away and there is no reason not to do it.
Layer 7 Inspection
All data traffic is characterized as belonging to one of seven “layers” in the ISO model, starting at
the physical (Layer 1) and going to the Application (Layer 7). This top or seventh layer is where
your actual interaction with your software happens. And it is there that your firewall can work some
of its most impressive magic. Want to allow Facebook usage but not Facebook chat? You can do it
here. Worried your staff will be duped installing a “codec” to watch video that is actually an attack?
You can control that here; there are some very sophisticated attacks that happen here that you can
thwart this way. Managing your network traffic at Layer 7 takes a bit more planning and time to
execute with your IT support team, but it is well worth your efforts. Enable Layer 7 inspection on
your firewall and review a few days of data and you will simply be amazed!
SSL DPI (Scanning)
Just a few years ago, the only SSL traffic you encountered on the Internet was the secured browser
session you entered into to use a credit card, or interact with a bank. Nowadays, encrypted sessions
are nearly ubiquitous. For example, every OneDrive or Dropbox session is encrypted. Each time
an employee retrieves something from a sharing site over an encrypted connection, you are exposed.
Since your firewall is your first line of defense against malware, this is a big deal. Setting up DPI
SSL scanning adds a load on your firewall (and might require an upgrade to a more capable one) and
it is tricky and time consuming to implement, requiring knowledge of SSL certificates, GPOs and
browser operations, it plugs this very large hole and is rapidly becoming crucial to your security.
Tunneling Remote Traffic
Wise road warriors prefer a wired Internet connection to a wireless one, but in today’s world, that is
harder and harder to find, even in your hotel room, much less the airport or Starbucks. So how do
we deal with the ubiquitous open and unencrypted Internet access points? One work around is to
fire up your VPN, RDP to your desktop and use it to get your Internet work done. That puts all
your traffic in a secure and encrypted tunnel, but assumes you have a desktop to RDP into and is
cumbersome. Most firewalls allow their SSLVPN clients to be setup to “tunnel all” traffic so that all
your Internet access goes through the tunnel and out your work’s Internet access. This is fast and
easy and provides you that security that an open WiFi connection simply cannot.
Alerting & Reporting
The unexamined life is not worth living. Socrates said that at least 2,000 years before Facebook,
though it is unlikely he foresaw 2.7M photos of breakfast burritos being posted daily. Nonetheless,
one of the most important and most overlooked capabilities of your firewalls is the monitoring and
reporting feature set. Simply setting up alerts of certain types of pernicious or persistent threats can
be a game changer. Some firewalls require an additional feature to be enabled (that is, paid for) to
create useful reports, but nearly any will create large (maybe too large) streams of data that can be
shunted to external syslog server software that can collect and manage this data and at that point,
with some expertise, you can employ free tools to analyze that data.
Who Needs This?
So now that you have a broad idea of some of these tools that may already be part of your firewall’s
feature set, are you still wondering why you would bother with them? Let’s review. GEO IP
filtering is fast and easy to configure and rarely causes issues, especially if you filter email upstream
and don’t have your email server open to the world. Just do that. The same goes for Botnet
Filtering. There is no downside here at all. Just do that too, if your firewall supports it. Layer 7
inspection puts a larger load on your firewall (it has much more complicated scanning to do), so that
might not fly if your firewall is underpowered for the job, or just doesn’t offer this. But if you can,
using Layer 7 inspection can preserve bandwidth and protect against sophisticated attacks.
Next, the only way to scan encrypted traffic is through SSL DPI. Without that you are essentially
barricading the front door and leaving a screen door on the back door. Tunneling Internet traffic
over your SSLVPN connection is fast, easy and provides you an immediate layer of security you
can’t get otherwise on open wireless connections. And while reporting and alerting takes some
effort or cost to setup and creates lots of data to analyze, without it you end up with a fantastic
video surveillance system but no screens to see the recorded video on. And it can be all there is
between you and a persistent attack that will eventually succeed, so it is highly recommended.
