Professional Documents
Culture Documents
Tagi 01 Perimeterandexternalnetwork
Tagi 01 Perimeterandexternalnetwork
Firewalls
Firewalls are the primary and most critical tool protecting your organizations network from unintended access.
Configurations can span from a simple router utilizing access control lists (ACLs) to limit accessing IP
addresses and protocols in pre-approved configurations, to redundant sets of purpose-built hardware meant to
intercept and inspect every packet, file and data objects at wire speed and according to complex rule sets.
Firewalls analyze data packets moving in and out of the system, and prevent any unauthorized data transfers
based on pre-set rules. The strictness of these rules will depend on the security needs of the network and can
take two forms: blacklists and whitelists.
Blacklists prevent connections based on a specific list of banned hosts, services and/or applications while
allowing all other data through. Subsequently, they must be constantly updated as new threats are discovered
and they are powerless to protect against threats that have not yet been identified.
Conversely, whitelists block all forms of traffic except those that have been explicitly approved. Thus, whitelists
are an inherently more secure option than blacklists, as any unapproved traffic is dropped, and are the
preferred methodology. Whitelists do require a greater understanding of traffic that must be permitted to
perform business functions, and thus may be outside the capabilities of smaller organizations to fully
implement and manage.
A whitelist approach supplemented with broad blacklists (i.e. blocking entire countries) is a powerful approach,
but each organization must ultimately decide what balance to strike between security and ease-of-use.
Firewall Function
Firewalls are one of the oldest forms of IT network security technology, dating back to the late 1980s, and have
gone through refinement over decades as attackers find new ways to circumvent them. Early firewalls were
only able to separately inspect the header of each packet. Since it did not keep a record of existing
communications between networks, attackers could bypass firewalls by altering header contents to make
messages appear to be part of existing, approved connections. To combat this, stateful firewalls were
introduced. By tracking connections and the packets they send, these firewalls can tell the packets state, or if
and where the packet belongs in a transmission. Individual packets that are not part of an established
connection, or which have unusual or suspicious headers, are dropped.
However, these firewalls do not inspect what is actually in the packets, so a third firewall type was introduced:
proxies. Proxy firewalls, also known as deep packet inspection firewalls, do not pass data directly; instead they
assemble the information and analyze it. If it meets the firewalls security requirements, the proxy will then
break the information into packets and send it on to the final destination. If properly configured, proxies can
even decrypt traffic to and from the network, making it impossible for users or attackers to hide or disguise their
actions from the firewall. Although proxies are by far the most secure firewall type, they are also the slowest
and most expensive in terms of computing power. They also complicate networks as many devices and
applications must be specifically configured to work correctly with proxies. Deep content inspection is an
evolution of deep packet inspection, expanding review to the entire fire or object instead of a collection of
packets in the data stream.
Contact us
Phone: 866.290.6774
Email: ahayden@trustcc.com
Contact us
Phone: 866.290.6774
Email: ahayden@trustcc.com
Content Filtering
By automatically blocking access to phishing websites, websites known host malicious code, and sites that can
allow access to unauthorized software, content filtering services help reduce the possible attack vectors to your
network and data. They can also inspect and block data received from legitimate websites that may have been
unknowingly compromised by attackers and infected with malicious code, and shut down suspicious or
unauthorized connections.
Like firewalls, content filtering services can use either blacklists or whitelists to control what websites users are
allowed to visit. Given the high rate of change and sheer amount of web content, most solutions receive
regular update feeds from subscription services that continuously track and categorize sites and content.
Basic content filtering solutions simply block all sites for selected content categories, while more advanced
options can scan information using keywords and statistical analysis to ensure compliance with content
blocking rules. These can even run against outbound data streams, ensuring no sensitive or restricted
information is posted to the web, and so provide protection against data leakage as well.
Site blocking can be a contentious issue in any organization, and some users will inevitably feel that any web
filtering is overzealous and restrictive. To help mitigate user complaints and ensure acceptance of content
filtering, roll-outs of new filter rules should always be carefully reviewed beforehand to ensure they meet
corporate guidelines and that they do not block sites that users may have legitimate reasons to visit.
If the content filtering services does block access to a site needed for business operations, the site should be
carefully reviewed and then whitelisted for required personnel if acceptable. Keep in mind, whitelists should be
reviewed regularly to determine if the exception is still appropriate.
In the end, each individual organization must decide what level of web content filtering is appropriate for its
operations, but given that filtering is a crucial tool for network security, it should always be implemented to the
strongest degree that an organization can accept.
tunneling, as that might enable an attacker on an unauthorized network to bounce through the remote device
and access the private LAN.
Wireless Access
Like VPNs, wireless access simultaneously increases the convenience and accessibility of a network while
allowing new attack vectors. The vast majority of wireless systems today use Wi-Fi (IEEE 802.11 standard) to
provide local access to networks. Wireless systems are not only installed for convenience; they can also
provide cost savings to organizations by allowing the installation of only a few wireless access points instead of
wiring an entire office.
However, wireless systems in the end are just radio wave transmissions and can be received by anyone with
the appropriate antenna. On initial release, Wi-Fi used the Wired Equivalent Privacy (WEP) standard to secure
the transmission, but it was quickly found to have numerous security flaws. Using widely available tools and
off-the-shelf equipment, WEP cyphers can be broken in as little as three minutes and should never be used to
secure networks. WEPs serious flaws led to a stopgap replacement system known as Wi-Fi Protected Access
(WPA) that could replace WEP firmware update, but WPA has also been found to have security flaws and has
been superseded by the WPA2 standard utilizing AES encryption (a more secure alternative to WPAs TKIP).
WPA2 using only AES encryption (not AES+TKIP) should always be the security option chosen for your
wireless systems.
However, keep in mind that even WPA2 is not wholly secure and should always be segregated from the
internal network. If wireless access to the internal network is necessary, the use of a VPN to protect the
transmission and multi-factor authentication to validate the endpoint should always be required.
The security of any protocol can be overcome by misconfiguration. The most common failing is to use of an
insufficient access key, making encryption easier to circumvent. The WPA2 standard permits a key of up to 256
bits, allowing for 63 ASCII characters or 64 hexadecimal numbers. Use the longest key practical, and one of at
least 32 characters. WPA2-Enterpise integrates with your RADIUS server for centralized authentication
management and is preferred to WPA2 standard as it.
Contact us
Phone: 866.290.6774
Email: ahayden@trustcc.com
Recommendation
01.01
01.02
01.03
Malware protection on email and web Malware protection should be configured to detect and block
viruses, spyware phone home, spyware download, botnet, worms
and Trojans that may attempt to enter the network from the
Internet. Anti-malware solutions should be present on every
ingress/egress point, especially web downloads and email.
01.04
01.05
01.06
01.07
01.08
01.09
01.10
DDoS preparation
Contact us
Phone: 866.290.6774
Email: ahayden@trustcc.com
We provide the support our clients need and we guarantee our services.
Were dedicated to continuous improvement. Advisories, trainings and help desk access simplify information
confidentiality, integrity, and availability. We also guarantee client satisfaction, eliminating the risks of trying something
new. Since our evaluation is independent, our recommended mitigation steps are unbiased and singularly optimized to
improve our clients security.