Understanding the limitations of perimeter security

June 10, 2019

Firewalls.

Everybody in IT knows what they are and nearly every company has them, some even without knowing it. They prevent unwanted communication. In most cases, it’s the first line of defense against network threats. They are effective, and are part of the list of basic requirements for any network security infrastructure.

But are firewalls enough? How about “Next Generation Firewalls”? To answer that, it is helpful to have at least a basic understanding of how firewalls work. Firewalls work like a ticket agent at the airport - you have a ticket? Great, you’re on the flight. No ticket? Go away. In technical terms, firewalls are based on rules that describe the network communication, which can, for example, allow or deny communication only from specific subnets, IP addresses, on particular ports, or no communication at all.

Firewalls haven’t stayed static, and they have become more advanced; like Next Generation Firewalls or Web Application Firewalls. Next Generation Firewalls are like a gatekeeper on steroids - not only will they not let you in if you don’t have a ticket, but will kick you out if you misbehave during the communication for which you had access. Essentially like a bouncer at a bar on New Year’s - you can come in if you have a ticket, but if you start being “fresh” with your fellow party-goers, you get tossed out. Beside basic firewall features, Next Generation Firewalls also contain Application Firewalls, which controls specific services or applications (not just IPs and ports) and Intrusion Prevention Systems, which block unwanted or malicious communication and are also referred to as IPS.

That’s a lot of walls.

Now, let’s look at whether they are as effective as they are expected to be.

Physical access

Picture a situation where an attacker tries to get into your network the easy way - through physical means. Firewalls are configured to ignore any communication that originates in the external network and is aimed at the core switch. The physical attack can include interaction with employees (more on that in our previous blog post), dumpster diving, physical access to areas, even the restricted ones, and more. In most cases, it’s enough to get into a conference room (sometimes even alone), plug your device into the network via wire and the attacker is into the network and off to the races. It’s then possible to set up a remote connection from within the network, because firewall policies for internal networks are often much less restrictive than those for external network (employees need to be able to work), allowing undisturbed access inside the network, not cut off by a firewall.

Remote access

Of course, access can be gained even without any physical access. For example, a new critical vulnerability is discovered for a popular network device provider which allows anyone to execute commands from the console on that device. Cases like this don’t happen every day, but they happen nevertheless. And when they happen, they can be catastrophic, because they are unknown to the existing network security tools or network/network security administrators. An attacker with remote shell access on such a device is then able to do anything. At that point, network is his, not yours.

While vulnerabilities like this are not as common, there are other remote attacks that are efficient, effective, and more common. In our previous blogpost we described one phishing scenario and we can build on that here. Say an attacker sends a crafted .pdf file via email to the victim. Since email communication is something that nearly every company needs, the email itself is not blocked. Maybe it’s disguised as an invoice or as a charity offer (as in the previous blog post), but once that file opens, the attacker gains full access to that computer and possibly even anything that’s available from there. You might think “but we use tools that prevent any malware in emails, we’re safe.” You might be right, but these are functionally just protection against spambots. Keep in mind that this will catch only known files - that are known to the security tool. If someone sends new malware, or specially created malware (which is usually how this attack is accomplished), then it won’t help.

BYOD

Finally, consider the example of the “personal device” - where (for example) Karen in the Accounting Department brings her phone to the office, and connects it to the network. Karen likes to watch MMA, but happens to use her mobile to stream content from sites which don’t respect authors and performance rights - what might be called a “bootleg feed” or a torrent site. As these streaming sites are notoriously rife with malware, Karen’s device is now infected - because she isn’t deploying mobile device security. When she accesses the trusted internal wifi network via her phone, she is opening up a direct pipeline for all of the malware on her phone, without having to go through the firewall.

In all of these scenarios, the firewall is ineffective, because not all of the communication comes through the firewall. This means that while a firewall is effective, it doesn’t offer 100% protection. Gaps exist, just a few of which have been included here.

But how to close the gap?

With enough time and effort, any network can be penetrated. To minimize the damage, you need to take precautions steps and close gaps left by tools like firewalls. How can you do this? To be able to identify what dangers have escaped your firewall, you need to be able to visualize every communication and every device in the network. Network Traffic Analysis (NTA) solutions monitor network traffic from communications not just through the firewall, but within the firewall as well - closing the gap on not just targeted attacks from outside, but also on BYOD, and other “safe” communications within the network. With full visibility, you know about everything that happens, right when it happens, which means you can respond to detected attacks before any serious damage happens to your organization, saving money, reputation, and your IT team’s sanity.

Identify anomalies

But what good is a mere visibility if there are countless packets every second? No one will be able to go through it all in real time - even with a team of thousands. So how to make sure that this incident gets the attention it deserves? NTA technology also helps to identify anomalous communications - devices acting strangely - on the network. Since an infected device starts to behave differently than it’s normal behavior - even in hard-to-identify ways - NTA technology; like MENDEL from GREYCORTEX, solves the problem, because it analyzes all network traffic and is able to spot these anomalous behaviors nearly immediately. It then informs the network team, allowing them to isolate infected or questionable devices from the rest of the network, preventing further damage, as well as to further investigate the incident without any risk of compromising further devices.

Having a firewall greatly improves the security of your network, but relying only on firewalls is irresponsible for many reasons – poor configuration, advanced threats or above-mentioned gaps. To be sure that nothing leaves your network without you knowing about it or having a say in it, you need bigger guns than just a firewall, even a next generation one. For significant improvement in your security, you need NTA solution to identify the hidden connected devices on the network, as well as to identify anomalous behavior that shows the hidden work of a compromised device.