Cyber-attacks have become very common in today’s technology world. According to Akamai's Q2 2013 State of the Internet Report, the number of cyber-attacks that occurred during the second quarter of 2013 fluctuated across the globe. However, places like Indonesia and China experienced a significant increase in attack traffic—38% and 33% respectively. Given the continuous increase in cyber-attacks, it is time to revisit the factors involved in cyber security. We often measure the effectiveness of our cyber security based on our ability to detect attacks and most importantly how we respond to them.
Firewalls are your first line of defense and it becomes important to manage your security policies in a way that ensures compliance and reduces risk. A typical network environment consists of firewalls from multiple vendors, which creates a need for strong firewall security management. Here are some guidelines for isolating and validating policy changes to lessen the threat.
Best practices for isolating and validating firewall policy changes to close the threat:
- Isolate the packet information from the threat signature: Isolate the address of the source of the threat, the targeted destination address, and the service ports present in the attack. By identifying this information, the user can block the attack from the source.
- Import firewalls into your firewall management tool inventory: Import the configurations of the firewalls to be analyzed into your firewall tool inventory.
- Run Object Query: Using the packet information from step 1, run Object Query across the firewalls in the firewall management tool inventory to quickly find objects that represent the source, destination addresses, and service elements of the packet.
- Run ACL Rule Query: Using the packet information from step 1, run ACL Rule query across the firewalls to find ACL rules that allow or deny the packet.
- Run Policy Query: If the destination represents an internal private RFC address, use the post-NAT data flow query to find all the firewalls in the inventory that allow the given packet. This will identify all ACL, NAT, VPN, and routing rules within each firewall that allows the given packet to go through the firewall.
- Run Rule Dependency Report: For the firewalls that require firewall intervention, run the Firewall Cleanup and Optimization report to identify the rule order dependencies that exist between the rules in each rule set.
- Run Policy Difference Report on the new configuration: Once the changes are complete, run the policy difference report using the original and the modified configurations to make sure that only the packet(s) related to the threat are being blocked.
A proper and timely response to an incident requires understanding the complexities of the firewall configurations in the context of your network, identifying the specific changes that will prevent it from recurring, and ensuring that no undesired effects occur due to the change.
Security is a shared responsibility and we all need do our part. Stay secure folks!