Menu

US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com

EMEA Region

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

UK

Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com

  • en
  • pl
  • Firewall Network Security - why it's not enough

    Firewall Network Security – attack vectors

    Date: 29.08.2022

    Author:


    Why is it important to take a comprehensive approach to secure Internet interfaces, instead of focusing on one area, e.g. a firewall?  

    In this article, we will take a shot at answering this question, showing potential Internet interfaces that can be critical in case of attack. You will learn what firewall network security is and what kind of attacks you can expect with a selective approach to the security issue. 

    Will a good firewall be enough? 

    When collaborating with our customers, we rather often hear from them that they are safe, because they have a good and potent firewall. While not ignoring the role of securing the Internet interface in any way, it must be said that it’s only one of many network locations that require attention.  

    We should keep in mind that in today’s world, the methods and so-called vectors of attacks and spreading hazards are exceptionally diverse, not to say – sophisticated. It should be added that in times of dynamic growth of software environments, data centres, and cloud environments, we get to deal with an ever-growing number of possible interfaces, protocols, and contact points with individual parts of an IT environment. That’s why focusing on a single Internet interface today is not going to cut it. We must consider all Internet contact points, where a potential attack may occur. 

     

    Potential vectors of attack on an IT infrastructure

    Network and application-wise, there are quite a lot of such points, like: 

    • network access, both wired and wireless 
    • application segments  
    • databases  
    • frontend and backend 
    • DMZs  
    • remote locations connected by a wide area network  
    • hostings and cloud environments 
    • email (e.g. phishing)
    • end user appliances, i.e. laptops, Pcs, and mobile devices 

    An impassable wall 

    A firewall is one of the important elements of an entire security system. When it comes to this solution, there are many variants on our hands, like: 

    • Stateful firewall 
    • Application firewall  
    • UTM – Unified Threat Management 
    • Next-generation firewall  
    • WAF – Web Application Firewall 

    Where to start our journey with a firewall? 

    First things first, we should know what to protect and where? 

    Do we want to protect the Internet interface and resources in a data centre, or do we need to protect an extranet interface and efficient address translation? 

    Another important question to answer is how to protect it.  

    Will it be our internal users using the Internet, or resources accessible in a public network that is stored in our internal infrastructure? 

    We can’t forget about the type of traffic that we’re dealing with. Here, we should determine, whether it’s email traffic or e-commerce traffic (web apps), or rather an aggregation of large volumes of data, e.g. from IoT appliances. Each one of these examples requires analyzing and approaching in the right way. 

    Firewall Network Security - ways of protecting each element of an IT environment with a firewall 
    Firewall Network Security – ways of protecting each element of an IT environment with a firewall 

    Verifying these issues is just the beginning – and it’s a handful, as you can see. Already at this stage, there are quite a few things that you should consider while selecting the right solution for an interface of a network or various segments. This is why a good design is always a necessity, and another key issue is its implementation. And it’s at this particular point that oversights and incorrect configuration occur rather frequently, sometimes leading to open back doors for hazards.  

    What to bet on, or the most popular firewalls 

    Currently, the UTM or the next-generation firewall mentioned above are the most common picks in terms of Internet interface protection solutions. Some of their features are as follows: 

    • traffic filtration based on application familiarity,  
    • web page category filtration, or URL filtration,  
    • protection against intrusion, e.g. network scanning, source spoofing, other signs of recon, or denial of service (DoS).  
    What features should a firewall have

     

    In spite of significant technological development, the solutions mentioned above still retain a well-known logic of stateful-type firewalls. It’s based on the capability of generating traffic from the trusted zone towards the untrusted one, blocking traffic initiated in the opposite direction.  

    Mechanisms and rules that we can use require pre-planning, or a precise configuration. Errors or overlooks resulting from the implementation can lead to serious gaps emerging in each category. Instances of this would be, e.g. no visibility of suspicious activity like an intrusion, the possibility of allocating firewall resources to a DoS attack or simply allowing connections that should be blocked. 
     

    Improper firewall protection – TCP Syn Flood and Command & Control attacks 

    One example of insufficient protection of the firewall device itself and its logic, is allocating its CPU and RAM resources. This effect can be achieved with a TCP SYN FLOOD attack. 

    TCP Syn Flood attack 

    The TCP Syn Flood attack is based on attackers running multiple parallel TCP session attempts that are not concluded with the so-called proper TCP Handshake. A device that is not protected against a situation like this will interpret the connection as legitimate. As a result, it will allocate the maximum amount of available resources, which will render valid user and system traffic impossible. 

    In turn, an example of bypassing the stateful logic would be an attack based on forcing a system within the network or an end-user to run a seemingly valid connection from the internal network to an untrusted segment, like the Internet. It means nothing else but clicking on a link leading to the attacker’s computer, where a command and control reverse session is set up. Consequently, the attacker sets up a tunnel in a session that the firewall still interprets as valid. He tunnels his C&C traffic inside the network as a legitimate connection, secured with the SSL protocol, for example. The picture below illustrates a command and control session.  

    Command & control reverse session set up 

    Another challenge is to secure the firewall device alone and maintain its firmware or OS on the line that is the least susceptible to hazards described in the common vulnerabilities and exposures database. An example of an attack like this is PATH TRAVERSAL. In this case, the attacker is able to access the device by, e.g. swapping a config file or an element of the device’s file system. In a situation like this, the attacker will enter the device unauthorized, and then attack the internal network, using the firewall as a transfer point. 
     

    Summary 

    As you can see, network security can’t operate at the Internet interface alone. It has many elements that should be considered when designing such a segment. A detailed analysis of traffic sources will facilitate some decision-making with regard to which segments need the strongest protection. This decision, in turn, will have a tremendous impact on the design of Internet interface security. 

    Wondering which hardware firewall will be best suited to the needs of your organization? Our network and security engineers can show you the benefits and drawbacks of commercially available solutions. All it takes is to sign up for free technical consultation

    Author

    Marcin Bialy

    Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

    1 Comment
    WadeIvan
    27 January 2023 at 08:23

    An enterprise network and security contains of a mixture of physical and logical networking components and protocols that function for the motivation of connecting all end customers and systems on a local area network (LAN) to applications in the data center and the cloud as well as to data and resources.

     

    Leave a Reply

    Your email address will not be published. Required fields are marked *


    Grandmetric