Fighting fire with firewalls
By Adeline Teoh
Designed to fight today’s cyber attacks and defend against the threats of tomorrow, next generation firewalls promise to evolve with the threats while providing users with the functionality they need to get on with their work. But are they all they’re cracked up to be?
In the beginning, computer firewalls were designed to mimic their physical counterparts. If there was a fire in a building, a firewall would help contain the blaze; if there were a cyber attack, a computer firewall would quarantine the attack while the software sorted it out. Enter the pyromaniac. If someone with ill intent decided to burn down your building, they wouldn’t just start a spot fire in a bin. By using fuel so the blaze spreads to every part of the office – and quickly – the attacker would render the firewalls close to useless.
Cyber attackers are like the pyromaniacs of the tech world. The problem is, while it’s easy to justify apprehending someone when they’re carrying a box of matches and a jerry can of petrol onto the premises, it’s much more difficult to figure out if a seemingly benign stranger – perhaps an attacker disguised as an acquaintance or business associate – is plotting an attack.
Cyber attackers are a lot wilier these days and the attacks are no longer scattergun. Attackers target organisations and you won’t know who started the blaze or when someone started secreting fuel into the building, until the forensic investigation after the damage has already been done.
What do you do? Do you turn away all non-employees from the business, even if they might be legitimate customers? Or do you install a better surveillance system to detect possible threats?
If this all sounds a little bleak, spare a thought for the people who develop the software to protect you from these threats. Faced with the task of defending against a faceless enemy, one that is both plural and shapeshifting in nature, you’d forgive them for putting it all in the too-hard basket. Instead, they’ve created a firewall that’s more like a membrane than a wall, and has all the characteristics of a body learning to fight different diseases.
What is a next generation firewall?
A next generation firewall (NGFW) is a technical term that covers any application firewall that can perform deep inspection of traffic and has the ability to contextualise data. What this means in real-world terms is that it can identify not only what website you’re going to, but also what you’re doing there, the applications you’re using, and what information you may be sending or receiving.
Old firewalls aren’t like that, explains Linda Hui, Hong Kong and Taiwan Managing Director of F5 Networks, a multinational traffic management software company. “Traditionally, firewalls just see packets and open the wall for them to go through, but they don’t have a deep inspection of a lot of applications. Next generation firewalls are application orientated and application aware. They don’t just know the traffic is web traffic but they understand https, encrypted web traffic, and go one step further in understanding the web applications associated with this traffic.”
The rise in cloud computing, particularly software as a service, has triggered a change in the kind of firewall needed to safeguard a business. The problem with using old firewalls in today’s business world is that they’re too easily circumvented, as much by employees who seek convenience as cyber criminals.
“A firewall became a Swiss cheese device. Everything was completely open and the solution was to close it. But the majority of the traffic goes through email or is web based and you can’t close that,” says Sean Duca, Chief Technology Officer at McAfee Asia-Pacific. “We need to control what people are doing when they connect. You can block what you think is bad and have a policy on what is acceptable use for the organisation and people will try to find a way around it, but at least you have the ability to see what’s happening.”
Late in 2013, McAfee sponsored research on the behaviour of employees in relation to security policies and found that more than 80 percent of employees surveyed used non-approved software as a service (SaaS) applications. Microsoft Office365 was the most popular, alongside social networking platforms LinkedIn and Facebook.
The outsiders
Nir Zuk is the Chief Technology Officer and Founder of Palo Alto Networks. Zuk says enterprises and their employees are now using networks and the web differently to how they used to when traditional firewalls were developed. “[Without a NGFW] if the business wants to use web applications, the most common thing is to say ‘no, you can’t use it because we cannot secure it’. The other option is to stick your head in the ground and check the emails but ignore the web applications,” he says.
“All these applications carry the same risks that email carries and they can be dangerous. Block the things that you don’t need but for those things you do want to use, enable them. If the user is on Office365, only allow specific users or only allow them to share specific file types. This is what we mean by safe application enablement.”
The reason firewalls need this ability to contextualise data is the changing nature of the attacks. Once upon a time, attacks were widespread and the goal of the attacker was to infiltrate and exploit as many devices as possible, as quickly as possible. Today, attacks are more like snipers than scatterguns. “They’re spending a lot of money on researching vulnerabilities so all the tools that we developed over the years that assumed attacks would be widespread just don’t work anymore,” says Zuk.
Advanced persistent threats involve user baiting and social engineering techniques to persuade an employee to establish a link with the bad guys. It won’t be a blatant executable file, it may be something as innocuous as a document or PDF with malware embedded in it. Although the attacker can then establish a link pretty quickly – Zuk says ten seconds after you inadvertently launch the malware – the real value for the bad guys is being able to do things to your data over a long period. In some cases, organisations don’t even know they’ve leaked data long after the fact.
The possibilities are frightening. Zuk comments that attackers can explore your data, change your data, erase your data, lock your data – they can do whatever they want. The stealing of the data can take months, that’s why they’re called advanced persistent threats.
Keeping it in
“There are two layers of a next generation firewall, safeguarding traffic from the outside coming in and from people working in the corporate environment sending traffic out. The second case is usually why people want next generation firewalls,” Hui maintains.
It stands to reason that this is the clincher. Even if an organisation could stop all attacks from entering the network, data could still escape by accidental or deliberate means from the inside out. And it also means that even if an attacker is successful at establishing a link with your system, being able to see what data is on the move is helpful to minimise the damage.
For as long as the world-wide-web has been a part of business, employees have been finding ways around firewalls for perfectly legitimate work reasons. Back in the day it used to be employees emailing work to their Hotmail address so they could finish it at home. Now, web applications make it even easier for people to connect to the network from anywhere – the aim of telecommuting and mobility functions – with the dark side being that it makes organisations more vulnerable to attacks and data leaks.
Duca gives the example of using a cloud storage services like Dropbox. Many employees simply seek easy-to-use cloud storage, even though it may contravene some security policies about letting data leave the organisation. “If you don’t have a next generation firewall solution that understands the applications being used, you’re never going to see what that user’s really doing. You’ll see them connect to Dropbox.com but that’s it,” he says. “A next generation firewall will provide some content information as to what’s going through so you get extra visibility. From there you can provide the balancing act between what the user wants and what the business needs.”
It can also help control employee behaviour. Many businesses now recognise the value of social media, but there are often some downsides. An organisation might, for example, let its employees visit Facebook, says Duca. “But I don’t want people to use Facebook Chat or the games, so having application granularity means I can let people go to Facebook but have control over what they do.”
The next generation question
The main advantage of an NGFW is its adaptability. If you had to add a layer or a device to meet every new threat, you’d never get any business done. Zuk says Palo Alto Networks detects around 30,000 new pieces of malware every week through a technique called sandboxing, where developers allow a computer or network in a controlled environment to get infected in order to examine the threat. It’s a bit like medical researchers examining a disease in a laboratory.
The disease analogy is an apt one. A traditional firewall works just like protective clothing; essential to prevent you from getting infected but if you wear too many layers it will stifle your work. “You don’t want three to four layers of firewalls, it will delay the speed of loading,” says Hui. An NGFW is like inoculation; it teaches the system to recognise threats and gives it a template on how to treat them. And just like a body fighting a disease, an NGFW will adapt and learn.
But upgrading from a traditional to next generation firewall is not as simple as defining this advantage. Vendors still need to deal with an organisation’s old policies, which is a political issue rather than a technical one, says Hui. “People have their own standards and it’s difficult to accept another vendor, especially in the finance industry.”
According to Hui, the NGFW market only comprises a single digit market share of all firewall products, which means organisations have a long way to go if they want the protection and performance of the next generation.
Duca says part of the issue is quantifying the return on investment of an NGFW, particularly as the threats evolve. “Cyber criminals have all the time in the world to poke and prod and we have to spin all the plates at the same time and work within company budgets. There are a lot of basic features to meet today’s threats, but it’s also good to think about how we protect them from the threats of tomorrow.”
To subscribe to the Australian Security Magazine, click here.
