Is the Security-at-the-door Protection Provided by Traditional Firewalls Sufficient to Defend Against Today's Advanced Attacks?
"Of course we have a firewall... Whaddya think, we're idiots?" would be the response of most any IT security manager of a large corporation. Indeed, most foundations for enterprise computer security begin by building virtual walls around the perimeter of an organization, usually in the form of the firewall.
While it’s safe to say virtually every enterprise is equipped with firewalls, there is certainly an elephant in the room when it comes to enterprise security: Is that inside-out approach sufficient to secure them? Despite the firewall being a popular way to ensure an enterprise’s security, the number of reported "successful" attacks has been growing alarmingly in the past few years. This is because this new breed of attacks is taking a different approach and circumventing perimeter defenses.
For instance, attackers are luring inattentive users to download viruses and worms through email, hitting them with drive-by downloads loaded on cracked “safe” websites, or embedding links in social network postings, creating circumstances where an authorized employee accesses the virus by going outside an enterprise’s walls to malicious sites. By doing this, they circumvent firewalls, infect their computer and eventually the entire network. In fact, in 2011 Microsoft found one out of every 14 programs downloaded by Windows users turns out to be malicious.
The rapid ascent of social networking, the explosion in new technologies, and the growing specter of cyber criminals operating like organized crime are key factors changing the face of enterprise security in profound ways. In this column, I will tackle just why the traditional inside-out approach isn’t close to 100-percent effective in tackling sophisticated attacks like APTs (advanced persistent threats), and why taking a new outside-in perspective just might be the right path to securing your organization’s network.
Firewalls and IPS/IDS, ignoring the outside
Now let’s examine closely exactly what a firewall is, what it does and what it doesn’t do. PC Magazine defines the firewall as follows: “The primary method for keeping a computer secure from intruders. A firewall allows or blocks traffic into and out of a private network or the user's computer. Firewalls are widely used to give users secure access to the Internet as well as to separate a company's public Web server from its internal network. Firewalls are also used to keep internal network segments secure; for example, the accounting network might be vulnerable to snooping from within the enterprise.”
Based on this definition, firewalls truly are internally centric, concentrating on threats that try to penetrate network perimeters rather than threats lying in wait “out there” that are waiting for an agent that has slipped past the perimeter to send out purloined data. Most enterprises use this inside-out approach as a way to literally hunker down and put up a wall around the organization, on the assumption that hazards outside of the enterprise network do not become threats until they attempt to actively penetrate the castle wall — or in this case, the firewall. However, given the ever-evolving nature of these malware hazards, this is not a realistic way to operate. While firewalls analyze indications that an Internet location may be malicious and block it, it doesn’t block traffic that appears to be legitimate but is actually malicious.
Other inside-out approaches that aren’t as commonly discussed, but are still widely deployed by enterprises, are intrusion protections systems (IPS) and intrusion detection systems (IDS). IPS’s and IDS’s are appliances (often found together these days) that monitor network and/or system activities for malicious activity. The main functions of these systems are to identify malicious activity, log information about it, then attempt to block/stop and report. Intrusion prevention systems are considered extensions of IDS’s because while both monitor network traffic and/or system activities for malicious activity, IPS’s are placed in-line and are able to actively prevent/block intrusions that are detected. But just like a firewall, these technologies don’t actively scour the Internet for malicious locations. They just monitor traffic as it comes to them, without active knowledge of the newest threats “out there.”
Let’s look at a real world example as an analogy. Think of an IDS or IPS as a bouncer at a club, and the door as the club’s firewall. The door/firewall can be closed at any time to prevent malicious entry. At the same time, the bouncer can monitor the traffic going in and out, giving everyone the once-over and throwing questionable individuals out of the line. Yet that bouncer can never be 100 percent accurate, and it would be relatively simple for a well dressed, but mischievous, individual —especially if that person is in the company of someone the bouncer recognizes — to slip through and into and out of the building.
Similarly, a firewall coupled with an IPS/IDS will certainly provide substantial protection for an enterprise. But is that at-the-door protection entirely sufficient?
Outside knowledge is needed
Getting back to the bouncer analogy, in order to maximize a club’s security it should operate with some sort of private or public security force policing the surrounding community, looking for troublemakers to stay away from and watching for tell-tales that they’re taking stuff out of the club. The same needs to be done for your enterprise, especially with all of the threats that are constantly evolving externally. What’s needed is a service that monitors malicious Internet locations and activity around the world, seeing when and where it’s touching the enterprise’s networks, and then coordinates with enterprise security experts or systems to protect the organization. This can be considered an outside-in approach — monitoring threats outside of the enterprise’s perimeter, analyzing how they pertain to the internal traffic and systems, and taking action whenever necessary.
Take for example, the 2011 security breaches at Sony and marketer Epsilon. Cyber criminals now have vital personal information from tens of millions of individuals — data like email addresses, shopping habits and more — all of the background information that they need to launch highly targeted spear phishing campaigns. The chances of success for spear phishing campaigns are significantly higher, because unlike traditional phishing campaigns, these attacks incorporate vital personal information that frequently tricks the unwary individual. And these campaigns pose a huge threat to organizations worldwide, because employees that click on a malicious link give cyber criminals instant access to an enterprises’ network, resulting in everything from corporate espionage to a hijacked website.
Traditional inside out, perimeter-oriented security measures provide only limited protection against these sorts of attacks, as the malicious email itself appears legitimate (if spammy), and the user’s interaction often appears no more threatening than Web surfing. Those kinds of communications cannot be blocked in the traditional firewall method of closing “ports” on the network, since those are the types of activity that make the Internet useful in the first place – you can’t block all email and web traffic! Inevitably, an employee will fall for such a scam and access a malicious Internet location, putting an enterprise’s vital information and its Web presence at risk.
Another good example is the late 2009-early 2010 attack against Google. That’s when a Google employee in China clicked on a malicious link in an instant message. This set off a series of events that became known as “Aurora” which resulted in the infiltration of Google's network for months and the theft of data from a variety of the search engine giant's systems. When finally alerted, Google was able to determine the attack’s scope and reach within its network by examining log files from its DNS resolvers, where the attackers’ movements were easily spotted. The same attack was perpetrated against dozens of other major US companies, and similar attacks are being discovered with alarming regularity. Had there been a coupling of external threat monitoring with DNS usage on Google’s corporate network, the employee victims may have never had a chance to click on the link — preventing the breaches before they occurred rather than hoping to stop them at the wall.
Every day, security firms and researchers monitor the activities of hundreds of botnets, black hat networks and other malicious locations on the Internet. With tools like netflow, passive DNS monitoring, and botnet infiltration, they can watch when and where those criminal infrastructures communicate with legitimate networks and organizations. That data can be used to track down compromised machines, network breaches, and a wide range of malicious activities that are found on corporate, government, and other sensitive networks daily — and in great numbers. Enterprises need to get their hands on this information to root out the infestations that their traditional defenses miss.
New approach needed
Cyber threats are varied, complex and continuously evolving. History shows that preventative and defensive measures can reduce risks related to computer or network intrusions, data loss/leakage, and asset sabotage. However, cyber criminals are keenly aware of these security strategies and are constantly evolving the methods of attack — making it difficult for firewalls and IPS’s/IDS’s to keep up. New malware will, by definition, not have a recognized profile that can be used by signature-based detection and prevention technologies. By putting such a wall around your enterprise without actively monitoring the evolving hazards on the other side, you are hamstringing your organization’s ability to stay one stop ahead of the threat.
Like all online operators, cyber criminals need an infrastructure network of hosting locations and domain names to support their operations. Unlike legitimate operators, criminals have to be constantly moving their hosting operations to avoid shutdown. So, for the most part, they steal the necessary resources by hosting their operations on a continually updating network of infected machines. To direct traffic to that network, the criminals use an ever-changing network of domain names, which they also usually create by using stolen credit cards or get from providers of free services.
Knowing the criminals’ infrastructure, keeping track of it as it changes and watching the communications to and from that infrastructure are the keys to successful monitoring. Traditional perimeter defenses become significantly more effective when armed by outside in monitoring with up-to-date information about criminal infrastructure, including URLs, IP addresses, domain and host names. And when those defenses fail (and they will), outside-in monitoring can see when an enterprise network is communicating with machines controlled by criminals, providing early alerts about problems and helping to trace them.
Unfortunately, this process can never be fully automated, as it takes both human expertise to analyze a possible threat, and the ability to coordinate across multiple organizations (security researchers, government agencies, service providers, registrars, IT personnel, partners, etc.) to mobilize and protect an extended enterprise. While putting a wall up around your enterprise can be effective in many cases, what’s also needed to effectively combat online evil-doers is a cyber crime police force combing the Internet for the ever expanding and evolving cyber crime networks.