Your Firewall Isn’t Blocking Everything. Here’s What You Need To Do…

The truth is most companies have no idea what their firewall is blocking.

By Dan Hoban, CSO of Nuspire Networks

masaaki komori 580425 unsplash

Over the last 15 years I’ve had the chance to talk to scores of companies, large and small. And while threats, vulnerabilities, technologies, and buzz words are constantly evolving, one question remains the same “do you know what your firewall is actually doing?”

The most common response I get is “blocking threats” and others say something like “it is part of our defense-in-depth strategy to mitigate risks.” And while both statements are probably true, not many companies get into detail, because frankly I don’t think they really know what their firewall is doing. The vast majority of network admins are firm believers in the theory of putting an appliance at the network gateway and assume it is doing a good job at blocking threats. The problem with that assumption is it’s never true.

Why your firewall just doesn’t cut it 

Our security operations centers investigate potential threats on a small customer network a couple of times each week and we investigate threats on larger networks a couple of times each day. And guess what…each of these customers have a firewall. And for the most part the firewalls are doing their job, but it just isn’t enough and most companies are unaware

Typically, most companies have a firewall, UTM, IDS/IPS, or NGFW, that are blocking threats. However, there is a fundamental flaw with all firewalls that prevent them from stopping all threats—the fact that firewalls are just hardware and software, signatures and rules. Its adversaries are people. People—or hackers—have a clear advantage over firewalls; they know the firewall rules, and can figure out how to get around them. Phishing, ransomware, cross-site scripting, and botnets are all developed to circumvent firewalls. So, the assumption that you are secure because you put a top of the line firewall at the network gateway is 100 percent incorrect.

You need additional tech

A great security admin is aware of what the firewall is doing. They understand the rules the firewall operates under, what traffic it is stopping, what is allowed to get through, how access is granted, and to what parts of the network. They have additional systems that monitor what is getting through the firewall and using a blend of technologies and human analytics to find risks the firewall cannot. For example, they know threats may bypass the firewall through things such as email, VPN connections, encrypted communications, and BYOD devices that literally walk directly into the network and around the firewall. Trained security experts develop strategies to identify and stop those threats. 

In order to develop these strategies, you first need to know your firewall rule sets, understand what is blocked, what is flagged, how the networks are segmented, and what normal traffic is. From there you can turn to other technologies to find out what is getting through (because it will) and how you can alert on those threats. Here are some technologies that can generate these alerts:

  • A Security Information Event management (SIEM) can aggregate and correlate seemingly disparate network events. Many SIEM solutions also have heuristics, AI, and behavioral analytics (EUBA) that can detect anomalous activity.
  • Network Traffic Analyzers and sensors that can see traffic on the network and provide visibility into events in real-time. This technology is often delivered as part of a managed detection and response (MDR) solution.
  • Email security solutions that go beyond anti-spam, but monitor and alert on potential threats.
  • Endpoint agents that monitor activity on the machine and alert on indications of compromise.  This goes beyond traditional AV and is more focused on detection and alerting. These solutions are often packaged as EDR and delivered as part of an MDR solution.

However, these technologies are only half the battle. They are subject to the same pitfalls as firewalls: it’s just hardware and software, rules and signatures.

Add human analytics to the mix

The other half is the critical component; people. Remember, the advantage hackers have is people working to get around rules and signatures. The only way to thwart these attacks is to use human analytics. Pen Testers, Ethical Hackers, Security Researchers, and security analysts use knowledge about the network, firewalls, and other tech to identify anomalous behavior that could be a potential threat. These are folks that know that their firewall is doing, and are using resources to catch the rest. Some companies don’t have these resources in house. In that case, partnering with a security provider is a viable option. Just relying on your firewall isn’t.

To recap, when you just have a firewall installed, it doesn’t necessarily make you secure. Fundamentally, even the best firewalls can’t block all threats. In order to catch what the firewall misses you need to understand the rules the firewall operates under, how the network is segmented, and what is and isn’t allowed to get through. If you know what your firewall is doing, you can then use additional technologies to alert people of suspicious activity. Human analytics is the last line of defense, and the best way to stop the people trying to get in.