Sophos – The problem with next-gen firewall protection
You expected a symphony orchestra, not a one-man-band.
Along the way some organisations discovered an uncomfortable truth: that next-gen protection can be less than the sum of its parts because of network protection that falls short, poor deployment or overly-complex configuration and management.
In my recent article the problem with firewalls I explained why, for many network administrators, firewalls aren’t the trusted enforcers they once were. In this article I focus in on the way that next-generation protection features are letting some admins down, and what can be done about it.
How WannaCry and NotPetya spread
Companies typically rely on a number of common services for their network functionality. If vulnerabilities in those services are successfully exploited it can have dire consequences.
The WannaCry and NotPetya outbreaks spread to more than 150 countries, running through corporate networks, encrypting computers and crippling businesses as they went. They spread, worm-like, from network to network using the EternalBlue exploit that allows remote code execution on Microsoft Windows SMB services harbouring the CVE-2017-0144 vulnerability.
The SMB protocol is ubiquitous on corporate LANs and allows computers to discover each other for the purpose of sharing files and other resources like printers. It can also be used for file sharing outside the corporate network if the necessary ports are opened or forwarded on the firewall.
Microsoft had issued patches for EternalBlue before the outbreaks but the attack occurred before many systems had been updated.
Rolling patches out across organisations can be a considerable undertaking and the window of opportunity for attackers doesn’t close when a patch becomes available, it’s open until a patch is deployed.
So how can you protect your network from attacks like these, and if an attack does penetrate your network how can you prevent it from propagating or moving laterally?
Enter, next-gen protection.
Why next-gen protection is important
Ransomware typically enters a network and spreads in one of a few different ways:
- By exploiting a network or system vulnerability
- Via fake, compromised or drive-by downloads
- On a USB stick or other storage device
- In email attachments or phishing links
Blocking network exploits
IPS (Intrusion Prevention System) technology is a critical component of next-gen firewalls. It uses deep packet inspection to search network traffic for specific exploits, or patterns and anomalies that might indicate an attack.
As with the EternalBlue exploit leveraged by WannaCry and NotPetya, attacks typically use malicious inputs to compromise a host application or service, with the intention of gaining sufficient control to execute code such as ransomware.
Blocking file-based payloads
While WannaCry and NotPetya spread like worms, many ransomware variants attempt to gain entry into networks through phishing emails, spam or web downloads. These attacks typically use social engineering tactics to deliver Microsoft Office documents, PDFs or executables containing malware.
Hackers have become increasingly adept at smuggling this kind of malicious content past traditional, signature-based antivirus detection, making sandboxing an essential component of web filtering and email gateway technology.
Fortunately, cloud-based sandboxing doesn’t normally require any additional hardware or software. Web and email protection engines can identify suspect files at the gateway and send them to a safe sandboxing infrastructure in the cloud to detonate active content and monitor its behaviour.
Why next-gen protection fails (and why it doesn’t have to)
1. Poor performance
All network protection solutions are not created equal.
The effectiveness of different firewalls’ IPS engines varies wildly: some have been shown to block more than 90% of vulnerabilities, exploits, and evasion techniques thrown at them while others achieve scores as low as 25%.
Some firewalls also offer a poor cost per protected Mbps and have an unacceptable impact on network performance.
Fortunately, independent test organisations like NSS Labs test all major firewall vendors’ security effectiveness and performance thoroughly, every year. To see which firewalls offer the best security effectiveness and price-performance, download the NSS Labs test report.
2. Cumbersome setup
Modern firewalls do a terrible job of integrating their different protection technologies. If each technology were a musical instrument then most firewalls would sound like a one-man band falling down the stairs. Individually the instruments are all making a sound but the overall effect is a cacophony.
Setting up proper next-gen firewall protection typically means individually configuring firewall rules, application control, TLS inspection, sandboxing, web filtering, antivirus and IPS.
If you ever want to determine what protection is applied (or modify it) you’ll need to go back and revisit each of these seven different areas. Needless to say, this level of complexity makes it very difficult to determine if optimal protection is being applied to any given set of users or type of traffic.
It’s complex, it’s tedious, it’s risky and it doesn’t have to be this way.
To see an elegant solution to this problem, and how you can configure all the protection you need easily, on a single screen, with a complete view of your security posture, download the XG Firewall Solution Brief.
3. Ineffective deployment
Protection technologies like IPS and sandboxing are only effective when traffic is actually traversing the firewall and there are suitable enforcement and protection policies applied to the firewall rules governing that traffic.
In other words, how you segment your network and deploy your firewall will have an enormous influence on the level of protection it provides in the real world.
To learn more about firewall deployment best practices for blocking the latest threats, download our white paper on firewall best practices.