Executive Summary
This is part 2 of my weekend series (technically it is Tuesday, but I took some vacation time over the weekend and my goal was not to be technology free, which I was). Last time I discussed contract management, vulnerability management and the principle of least privilege. In this post we are going to discuss creating a Information Security Management (ISM) program. I should have discussed in my first blog post. I am going to talk about network firewalls and management of those firewalls.
ISM
In my opinion, anything that is sustainable needs a good foundation. If you are investing, you need a plan and a systematic way to invest your money. If you are on a sports team, you need a good offensive plan and defensive plans that account for the offensives and defensives the other team has. It you have children, you need a plan with your spouse on how you want to raise your children and when they get to the teenage years and they challenge you (Trust me, they will, and they think you are dummies until they get into their early 20's) and agree how you are going to handle those challenges.
This leads me to the ISM. The ISM is the foundation of your Information Security/Cyber Security program. Why? You need to document polices/procedures and let others know what you expect. I will provide a few examples below.
Patch Management
Most vulnerabilities are classified as Critical, High, Medium and Low. You also have zero-day vulnerabilities, which do not have a patch, but generally have steps to provide compenstating controls before the patch is released.
How are you going to handle these vulnerabilities? While it would be nice to say I will patch them all, it is not realistic. You can also say you will patch all critical vulnerabilities immediately, but that is also not realistic. You will want to establish a time frame, such as critical vulnerabilities will be patched in 10 days, high vulnerabilities will be patched in 30 days, medium vulnerabilities will be patched in 60 days and low vulnerabilities will be patched in 60 days or never depending upon what the vulnerability is. If you have the ability to put a remediation for the vulnerability in place, you will want to state that in your program. You will also want to define what your patch management program is. You will also want to define the tools you are using an example being SCCM. You will also want to define how you are identifying vulnerabilities and what tool you are using to identify those vulnerabilities and how often the tool is run to identify vulnerabilities. If you are using Windows Defender For Endpoint with and E5/M5 license it has a nice vulnerability identification tool that is constantly running and identifies new vulnerabilities quickly. I would recommend accompanying that with a tool such as Nessus or some other vulnerability assessment tool.
Change Control
It is my belief that a good ISM should have some sort of documented change control process. You will want a process that will identify potential conflicts that could lead to downtime. You also want to vet what is being implemented to ensure that it does not compromise your security posture. Finally, items such as emergency changes or firewall changes should have some sort of approval process. A really effective process I have seen leverages a Microsoft Teams channel and having members of the change management board (CAB) approve changes in the channel. You discuss the emgergency changes during the next CAB meeting. I could write an entire article on change management (And I will in the future). Finally, you will want to define what date and time you wil hold the change management meetings what the approval process is.
System Hardening
You should have your system hardening processes and procedures defined in your ISM. You want to make sure you are putting secure systems into your environment by default. Defining those hardening strands and putting them in a policy will assist in establishing a standard that everyone in IT knows to follow and you can make sure that those standards are followed when a new system is proposed in your change control meetings. (As you can see polices in your ISM build on each other).
Other ISM items
Some other items you should consider putting into your ISM policies is access control, new hire policies, terminated user policies, threat monitoring, ransomware polices, security incident management, risk management policies and endpoint threat protection. I will also dedicate a blog post to an ISM, and if you want more information, you can reach out to me, and I can point you to an awesome consultant that can help with your program.
Network Firewall's and Firewall Management
I have been installed and configuring firewalls for 24 years. In those 24 years, I probably have installed and configured over 200 firewalls for various companies from 10 different vendors. I have seen the good, the bad and the ugly.
The Ugly
The ugly is having a firewall installed to check a box, but the firewall is like Swiss Cheese. You need to maintain a clean rule base. Make sure you audit your firewall every six months to remove unneeded rules and services. Most firewall's these days can point out the firewall rules that are unused. You can disable the rules first and then delete them once you are sure they are not in use. I can't tell you how many rule bases I had to clean up over the years. The worst I have seen is over 200 rules and most were not needed. What happens if you have an incident, and you need to lock down the Firewall? It would almost be impossible. Also, how are you going to train others on your mess. Take the time and clean up and don't' get mad at the consultant that he it is taking more time than they estimated due to your mess. Whenever I saw a firewall with over 60 rules (many of them any any rule), I knew they did not have a good ISM or policies and procedures. In fact, firewall management should be a documented policy in your ISM.
I have also seen firewalls that run a very old version of code or do not have all of the protections enabled. You should be updating firewall firmware to the vendors recommended release and have a policy on how you are going to perform those upgrades. If you firewall has advanced features such as URL filtering, Threat Detection and Anti-Virus, configure them.
Finally, if your firewall is end of life, replace it. A firewall that is end of life is not going to protect you.
The Bad
The bad is having a firewall with any any rules defined thinking I have a firewall, so it is good enough. You also need to limit what services and destinations depending upon what you are attempting to accomplish.
Firewalls allow you to utilize Network Address Translation (NAT). Make sure that once a system is retired and you also retire your NAT rules. I recently was reviewing a firewall that had left over NAT rules and it mapped to an ILO board on a VMWARE server. This is why firewall hygiene is import and you need to remove rules and services if they are not in use. (They were lucky they did not get hacked)
Firewall Management users should be defined to unique individuals and the built-in default admin user should be changed and used in emergences only. Leverage Radius or LDAP and intergate your firewall with your diredtory services such as Active Directory. This allows you to ensure that firewall administrators are disabled when someone leaves, and your password policy is applied to those users. Finally, make sure that you enable multifactor authenication on the users that administrate your firewall. This will protect against credential compromise and add an additional layer of security.
Most services these days leverage transport layer security (TLS) and ride over port 443. Most modern firewalls account for that shift, but you need to make sure you are properly configured to monitor port 443 traffic. Besides, web filtering and threat detection, you should also filter file type downloads. You do not need to be allowing powerShell scripts, executable files and other malicious file types to be downloaded. If your firewall has sandbox capabilities, enable them. Finally, if your firewall has the ability to intercept TLS traffic and analyze it for threats, enable it. Most firewall vendors call this SSL decryption. You will need to exclude certain sites from SSL decryption, such as Banking and Healthcare as privacy and banking laws do not allow you to intercept that traffic. In fact, you should consult privacy laws and your policies before enabling this feature.
The Good
The good is creating a process to review the Firewall Rulebase at least once year (I suggest quarterly) to remove unused and unneeded firewall rules and services.
You should also be keeping your Firewall current with the lastet firmware or firewall code. I suggest that this should be reviewed quarterly. Firewall code/firmware updates contains bug fixes and new features you will want to take advantage of.
Make sure you are putting additional protestation and controls around TLS/port 443 traffic. A majority of the traffic has shifted to being encrypted and if not configured properly, this can make your firewall ineffective against threats.
Enable URL Filtering, directory services integration, threat management and Anti-Virus services.
Make sure that you are following secure defaults on firewalls, disabling out of the box configurations that are not necessary and could cause security vulnerabilities.
Make sure that you have MFA enabled for your administrative users. Along with MFA, if your organization leverages a Security Information and Event Management (SIEM) solution, configure your firewall to log traffic to the SIEM. I would suggest logging at least configuration changes. This will allow you to create a daily report of configuration changes and will provide you and way to look for unauthorized changes and to monitor for change control compliance.
Final Thoughts
Information security management is critical to developing an effective cybersecurity program. I just touched on some simple basics that one should focus on when starting a program. As you mature, you will need to add many more policies/processes and procedures to your program which I did not cover in this post.
Firewalls are important to many organizations, but I would argue with many people working from home and how most traffic is using TLS, the firewall is not as effective as it once was. You still need to maintain best practices and make sure you are not doing the bad and the ugly, but you will need to combine a firewall with some good endpoint protection, which is a topic for another post.
I hope this post helps in your journey to making your organization more secure. If you take anything away from this post, have a documented Information Security Program and don't be lazy with your firewall management.