Lesson 1: Examining the Most Common Firewall Misconfigurations

Prof Wool: Firewall Management 201 | Lesson 1: Examining the Most Common Firewall Misconfigurations Subscribe

Firewall Management 201: Lesson 1

In this lesson, Professor Wool discusses his research on different firewall misconfigurations and provides tips for preventing the most common risks.

Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at http://blog.algosec.com

View transcript

hello and welcome to firewall management 201 under fester role and today we'd like to talk to you about the most common farm loan misconfigurations and what to do about them so as part of my academic work I've conducted research that investigates what type of misconfigurations are out there on in firewalls and this covered research of checkpoint and Cisco firewall configurations from close to a hundred different organizations and today I'd like to share with you some of the highlights of that research and some takeaway points from them so the three most common misconfigurations that were observed in this study were the following we found that rules that said to anywhere with any service that was detected close to 60% of firewall configurations that were investigated also firewalls that allow outbound peer-to-peer traffic were detected these rules were detected in around 60% of the firewalls that were serving and thermals that allow outbound email SMTP from a large number of IP addresses that was detected in some 80 percent of firewall configurations so what is what is a common here you can see that these are all miss configurations that pertain to outbound traffic now you could wonder why is this risky after all we are used to thinking that the inside of our network is more secure than the outside and traffic going from outside to inside is the risky one inbound traffic is the risky traffic well that's no longer the case in the current risk scenarios that we find on the Internet today so think about a case where one of your internal computers gets infected by some malware and now it is a zombie it's running some malware that is doing some malicious deaths maybe it's participating in denial of service attacks maybe it's sending spam email maybe it's leaking out information harvesting credit card numbers and that zombie has it's owned by some command and control center that's out on the internet somewhere so the command and control center needs to control the zombie incented commands telling it what to do you think that this traffic from the command and control center to the zombie would be inbound traffic from the firewall spawn if you coming from the command and control to the zoning however that's not the case malware authors architect their solutions so that really it's the zombie that initiates the communication the zombie keeps asking the simple command and control center in the outbound direction do you have something for me do you have something for me and so from a performance point of view of the communication between the command and control center and the zombie is outbound it's going from the inside network to the outside even those in front the commands are really coming in inbound so if we have one of these badly written rules like a lot maybe service outbound or allow peer-to-peer services outbound what this means is that the traffic from the zombie towards the command and control center is allowed clearly or the traffic from the zombie out towards the denial of service targets is allowed and the firewall is not blocking it so that's why these things are considered to be quite risky and because of historical reasons firewall administrators pay less attention to outbound traffic so many firewalls 68% of firewalls are allowing this bad traffic outbound and it's our job as Pharma administrators to limit that now let's take a closer look at the third one which is really the most common misconfigurations about smtp being allowed from anyway different IP addresses why is that a problem well let's look at the zombie if it's participating in a spam campaign it will try to send email to the various recipients of the unsolicited email and it will do so by sending smtp connections straight out if the firewall is allowing this traffic from basically any IP address in our internal network the firewall is not filtering out they're not blocking these spam emails whereas the correct way of setting up the email is to have our internal systems send their email to an internal mail gateway and only the main gateway will send the email out towards the internet and then the firewall will only have a single rule allowing email from that designated making way towards Internet and not from everywhere if we set up our email system to work in the recommended way then when the zombies tried to send email out the firewall will block them because those emails are not going along the designated route so again this explains why having lots of IP addresses allowed to send email directly out is a bad idea so what does it take away from all of this the takeaway is the tip of the day is lock down your outbound rules you need to pay attention to rules that allowing traffic from your insight network towards the Internet you need to audit them shrink them to the bare minimum and make sure that you're not allowing wide axis in the outbound direction because that outbound is just as likely to can become an inbound direction as well thank you

Videos

Prof Wool: Firewall Management 201 | Lesson 1: Examining the Most Common Firewall Misconfigurations Subscribe

Related videos

Lesson 15: How to Synchronize Object Management with a CMDB

Lesson 16: How to Take Control of a Firewall Migration...

Lesson 14: Synchronized Object Management in a...

Sharing Network Security Information with the Wider IT...