Your Firewall is Stupid!

Can't Fix StupidThe title of this post may sound extreme but it describes exactly the story below. Never forget that firewalls (like any other security device or application) is just a tool that must be used in the right way. If you use a drill with the wrong bit, you will miss its main purpose. Computers are dumb!

Yesterday, I was asked to implement a firewall change for a customer. Remember: Any change in an existing configuration could introduce security issues! Here is a good example with the original request below:

Please, could you enable the firewall interface x connected to network 172.16.0.0/24 and allow HTTP(S) traffic from this network to everywhere?

I called the customer to collect more information and, after some questions, the new network suddenly became a “Guest Access” network. This was an interesting information. Guests are potential enemies! Then followed this conversation:

Me: “Are you sure to enable HTTP(S) access from this guest network to any destination?

Customer : “Euh… Yes, that’s the request…

Me: “Depending on the location of the new rule in the firewall policy, this is a potential security breach. Anybody connected to the guest network could scan for internal HTTP servers. Sensitive information might be disclosed.

Customer: “<silence> Indeed! Let’s restrict the traffic to non-RFC1918 addresses (used internally)

Me: “Ok, I also detected lot of dropped DNS requests, I suppose you’ll need to resolve hostnames to surf the web?

Customer: “Indeed, you can enable DNS requests from the guest network

Me: “May I have your resolvers IP addresses? By allowing DNS traffic to any hosts, you will introduce new breaches like, example, DNS tunneling…

Customer: “Yes, yes indeed! I’ll provide you a list

Me: “Finally, instead of allowing free HTTP(S) traffic to the Internet, I suggest you to filter the traffic using a proxy or any filtering mechanism to avoid other potential issues: malwares, viruses, HTTP-tunnel, etc

As you can see, maintaining a correct security policy is mandatory to avoid security issues in the future. Take your time to make some brain storming and implement changes correctly. Lot of security incidents are caused by mis-configurations!

 

Post Navigation