TO PARAPHRASE THAT WINNING EXPRESSION from the 1992 U.S. presidential campaign, “”It’s the data, stupid.”” Both the sophistication and the breadth of cyberattacks are growing at a dizzying pace today. From hardware design flaws to ever more sophisticated exploits, clients and their data are in great peril, with their firewall standing sentry. Here’s how to configure that firewall for maximum effectiveness.
Predeployment Interview
Most of us can apply a subnet to a firewall, set up a couple of zones, and configure a WPA2 passphrase and even a quick site-to-site VPN about as fast as we can eat lunch. With the time and money pressures clients place upon us, this is often as far as we go. That’s a big mistake, though, that not only shortchanges our clients, but potentially leaves big holes that we’ll have to plug sooner or later.
A more thorough configuration process begins with a predeployment client interview. We use that time to gather information such as where the client’s customers and business associates are geographically, what they expect of their wireless (for those that use integrated or firewall-managed wireless), who needs remote access, to what and from which devices, and more. This process not only identifies crucial details but alerts our clients to some of the complexities of securing their site(s) and the policies they must enact to stay secure.
Meet the Author in Person
Joshua Liberman will speak about firewall security and more at the next ChannelPro SMB Forum. For more information, go to http://events.channelpronetwork.com.
The Basics: Scanning, Content Filtering
It goes without saying that we have to configure zones, set up the subnet on the WAN, and configure deep packet inspection. While you’re at it, don’t overlook content filtering. Be sure to enable GeoIP and botnet filtering as well, but work through how and where the client does business first. You may find the client has more international traffic (from Akamai and Office 365 hosts, for example) than you expected.
The modus operandi here is to start with the most restrictive policy and work your way back from there. Using hosted email makes this much simpler, as you don’t need to open the customer’s SMTP ports to the world.
Though not strictly speaking a firewall configuration issue, setting up DNS filtering here is very important as well. Using a DNS filtering service that blocks traffic to known “”bad actors”” (such as malware command and control servers) can spell the difference between another day at work and a real disaster for your client.
Intermediate Stuff: Wireless, Remote Access, One-Time Passwords
Many sites rely on integrated wireless in the firewall, while some use the firewall to manage distributed access points. Just about any modern firewall can competently deliver and manage an effective wireless solution, and often provide more comprehensive security monitoring and reporting solutions than basic, discrete wireless options.
Whether wireless is delivered this way or with an additional solution, you’ll need to carefully evaluate your client’s wireless requirements. Some clients that want to provide wireless merely as a convenience for their customers need an access point that sends traffic right to the internet and nothing more. Others need more sophisticated wireless guest services, including bandwidth throttling, time limits, and more. Larger sites with multiple access points will probably want seamless roaming or to segment their wireless environment. Whatever your client wants, you’re in charge of securing the delivery of this service.
You must also take the time to learn how your customers plan to connect remotely—from home, from a roaming machine, from any machine, anywhere? What will they do with that connection? Access files, run client-server applications, launch an RDS or Citrix session, RDP into a desktop? You may end up provisioning an SSL VPN portal or sticking with client-based access. A great step you can take here is to enable one-time passwords, aka the “”poor man’s two-factor authentication.”” That feature is included free in many firewalls.
Advanced Stuff: Heuristics, Tunneling
An additional defense we enable for our clients is heuristic traffic analysis. Unlike every other firewall traffic scanning service, heuristic analysis doesn’t rely on a signature set. With millions of new attacks monthly, signature-based scanning is struggling to keep up. Heuristic analysis uses cloud-based “”sandboxing”” technology that detonates files in a safely contained space and inspects their behavior. Traffic flows only after they’re verified as benign. This is an invaluable extra layer of protection that’s easy to configure and reasonably simple to manage.
Another easily configured benefit for your users is protection when connecting to open access points by using the “”tunnel all”” option in their SSL VPN client. To employ this protection, all you have to do is configure the VPN client to tunnel all traffic (or prevent split VPN tunnels) once the VPN is established. This will send all of the customer’s traffic back through their office, which protects it to and from the access point.
Extra Credit: DPI-SSL
Ten years ago, most internet traffic was “”clear text”” only, with SSL encrypted traffic reserved for shopping, banking, and the like. Today, nearly all traffic is encrypted. Since ignoring that traffic is not an option, setting up encrypted traffic scanning is imperative. DPI-SSL is tricky to deploy at the endpoints, and processor- and memory-intensive in the firewall. Because of this overhead, you’ll generally have to move up at least one notch in terms of firewall performance beyond what you’d normally need. But working without it is like installing a screen door on your submarine.
DPI-SSL technologies scan SSL traffic by executing a kind of “”man-in-the-middle attack”” in which the firewall decrypts, scans, and then re-encrypts traffic for delivery. If you had any question why this is so processor- and memory-intensive in the firewall, now you know.
Because the certificate no longer comes from the initial source, you also need to update the Windows certificate store to accept certificates from the firewall, which means working in Active Directory to create group policy objects and touching applications such as Firefox and others that don’t use that store. Some apps with “”pinned certificates,”” such as Dropbox, must be excluded. The bottom line is that implementing DPI-SSL is both a pain and painfully necessary.
Closing the Loop
You are ultimately responsible for securing your clients’ networks. This usually begins at the firewall and should start with a client interview. Using that information, you’ll configure the basics of LAN/WAN setup, DPI scanning, wireless security, SSL VPN connectivity, and one-time password functionality, as well as content, GeoIP, and botnet filtering. And don’t forget to turn on the heuristic scanning capabilities of your firewall to go beyond signature-based scans. To fully close the loop, you’ll need to deploy DPI-SSL to scan your encrypted traffic as well. Lots to do, so better get going.
JOSHUA LIBERMAN is president of Net Sciences Inc., a midsize network support firm offering systems integration and MSP services throughout New Mexico.
Image: SonicWall TZ Series
