|C-Level: Is your business secure enough to survive open firewalls?
The most expensive firewall is pretty dumb. It can keep external probes from seeing what your Security Team wants to hide. In some cases, they are also configured to protect people within your company from wasting time or violating your network policies. There are no guarantees that these devices will protect your network, quite the opposite; near every network hack of note was conducted through a firewall.
The information assets that firewalls protect are also secured in a variety of dissimilar ways so in a perfect world the firewall is your front line of defense; information access policies are a secondary line of defense. In a very simple sense, firewalls are about noise reduction, blocking out a nearly infinite number of probes from an ever increasing number of probers. So, ponder for a minute, if you opened this electronic front door to the world what would happen? Would the damage be limited to only an increase in network noise?
Early in 2004, I was summoned to a bank to assist with an examination finding. Though they had recently spent over $100K in firewall technology, their examiners were requesting that they conduct a 3rd party network assessment as a matter of policy. There were no technical findings. My company wanted to sell the bank an MSS contract for their edge security and we negotiated that the MSS engagement would start with a network risk assessment. We engaged the bank contractually and our professional services people started the risk assessment. A few days later there were a few engineers at my door. Never a good sign.
During this period, in near all cases when registering for internet connectivity, you need to give every machine that would communicate to the internet an address that was routable to the entire world. This was prior to IP NATing (Network Address Translation) which is now used to assure all machines that connect to the internet do so through a controlled device, such as a firewall. In the case of the institution we were assessing, they had two brand new, state-of-the-art firewalls which were handling the interface to the internet.
So when my engineers brought the information that stated the bank was open to the world, I was at first, skeptical, then appalled, and last very interested. First: skepticism. I asked the engineers to re-run the scan from my office in real-time, we ordered sandwiches and settled in to watch the progress. The scan started with the first address and then incremented all the way through the 254 registered addresses. Latency at that time was much longer than it is today, so this took a while, but as the day progressed we were able to see servers, printers, PCs, internal routers, switches, in essence, their entire internal network
It was now time to deal with 'appalled'. After we were certain that we were not getting false alarms, looking at the wrong network, etc. We called the bank and they immediately disconnected from the internet. Next they purchased all of our services (though not an optimal way to gain a client, it was the fastest we had experienced to that point in our company's history). In conversations with the company that installed the firewalls, they relayed that they were telecom, not security guys, and they had completed their portion of the contract. Really?! Ok, now that appalled is over, it is time to be interested.
We needed to send an engineer to the site and look for any malicious software that may have been installed to try and exploit the bank, etc. It being February and us being located in New England, and the bank being located in Southern California, we had lots of volunteers. While travel was being conducted, we had drop shipped our on-site product which provided firewall monitoring. In the same device, we also had IDS on the internal and external side of the firewall, Secured Proxy for all web and email traffic, etc. After all of these services were installed, we started monitoring.
Surprisingly we could not identify any intrusions. Their internal controls and setups were very good and their configurations of applications, access control, password controls were exemplary. There was no apparent damage. The bank had been connected to the internet (essentially with no firewall) for 5 months, and none of the PCs contained a virus. The servers were not broadcasting any pings (or any other type of signal) to outside servers indicating they have been compromised, but we would need to wait until the on-site investigation was complete to assess the damage.
A couple of days later the engineer was on site and a more detailed analysis was generated. Nothing was found. Though we were concerned that there was something hidden in one of the machines, we put extra time in putting rules on the firewall which would trigger a flag if communication was started with an address and protocol that was not approved. Also, over the course of the next 45 days, every machine in the institution was wiped and rebuilt. We also worked with the business people in the bank to add controls to areas of higher risk.
Years later this experience still brings to mind questions. What would happen if the firewall was opened to the world? Are we as an organization ready? What might the impact be? Is it time to stop relying on Noise Reduction systems for risk management? This event was a turning point for me, I realized that putting too much focus on edge security as the fundamental risk mitigation tool is an incorrect, simplistic approach to a complex problem.
Many of you that travel in the C-level may want to ask this question: What might the impact be at my business if the network was accidentally left wide open? Don't believe that this will never happen, I will be writing next month about an institution that opened their firewall, just for a minute, to fix a vendor's problem.
Please send me or post your thoughts on the strength of your second line of defense. Thanks for reading, C-Level Security!