In our live webinar, CTO, David Barker, gave his ultimate guide to firewalls, covering the cyber threat landscape, how a firewall protects you and an overview of the Dimensions system for managed firewalls.
A transcript of the video is below.
4D Data Centres – a brief story
"So to start off with a little bit about 4D, it was originally started in 1999, we're 20 this year. This was started by myself as a domain registration and shared hosting business. We're now 44 staff across two data centres, we've got 24 seven on-site engineering and network support teams, The network support teams also do our Security Operations Centre work.
We produced about 5.5 million turnover last year, so we're growing quite strongly. We operate our own fibre network, that's between the data centres and around London metro areas, that's for us to do inter-data centre connectivity, MPLS networks, high-speed IV transit and supports our cyber security offerings like DDoS. High capacity carrier network, we've got about 80 Gbps on the edge for tier 1 transit capacity at the moment.
We also provide a shared public cloud as well as private cloud platforms, and the private clouds are fully managed with a console interface for different things like VM administration and backups. And as these webinars are going through we've got a range of cyber security offerings that we've launched over the last 18 months or so and they're available across all of our services. So cloud, both public and private, colocation and all network services.
Who is David Barker?
I'm the founder and CTO at 4D. I started 4D in 1999 as a shared hosting reseller business and doing domain registrations. Eventually this expanded into other data centres. If anyone remembers them, it was Red Bus and IX Europe. And that was to host all the shared hosting platforms and move away from doing a reseller model.
I got into doing colocation by reselling it from those sites, which eventually led to us opening the site I'm in at the moment, 4D Surrey, in 2007- our first owned and operated data centre. And then we opened 4D Gatwick in 2017, which was to offer expansion and second site capacity in a second facility.
We've grown over the years from just myself doing shared hosting to currently 44 full-time staff across two data centres, that's heavily on technical.
Who is a target of cyber attacks?
So who is a target? This is more of a general cyber security point rather than just the need for firewalls, but pretty much everyone is a cyber security target now.
The average time from connecting a new server system to the Internet and the first probes and seeing if you've got any vulnerabilities or ways for an attack to get in is around five minutes- that's largely because there are automated systems that are constantly scanning IP ranges doing port scans and probes to see when your systems come online, looking for potential weaknesses.
Also, if you make firewall changes or configuration changes that expose a port or an application, they're looking to pick that up when you make that change. Particularly if you're a system that already been targeted they'll be looking to try to wait till a mistake is made. But common ones that are being looked for when new systems come on, particularly unpatched systems, you deploy from an old build and you're then looking to patch once it's connected up to the Internet there's a window when you'll have vulnerabilities in that systems.
You're also vulnerable in old applications, so systems that might be end-of-life that are connected and things like weak passwords, configuration errors, general human error.
So if you're looking at whether you be a target, one of the things to really consider is what type of data are you holding on your systems.
Where is it located? Is it on the system that's directly connected to the Internet, is it segregated off and out the back end? Do you have proper segregation- things like databases and Web services.
Do you have a large Internet presence? So the larger your Internet presence the larger attack surface you've got, and the more potential there are for things like making mistakes in patching, firewall rules, opening configurations that should be close.
New technology is another thing to consider. New technology, whilst it is a great thing, tends to be untested and you'll have attackers who are looking to target new technologies for zero-day vulnerabilities. There is also a greater potential for misconfiguration because it's a new system you haven't worked with, or your consultants haven't worked with.
And it's generally an evolving threat landscape, so you've got attackers always looking for new ways in, new techniques, new vulnerabilities and systems and it really is an arms race between people trying to defend their systems And their networks and people trying to get in and cause damage or steal data. So we'll have a quick look at how some things, things on the threat landscape from 2019.
The threat landscape in 2019
Here are four trends that we've seen and I know other people have seen from reports:
Formjacking is a big thing, not necessarily something a firewall will directly protect you against, but something you need to be aware of when pushing new code out or working with third-party developers for your website codes. So that's where you have malicious code which is loaded into a website - usually a paying capture form - and attackers are looking to skim card details off that. It's currently estimated that about four to 5000 websites are compromised each month this way, and the biggest one you've probably heard of recently was British Airways, they had their payment forms compromised with a formjack and it was about 380,000 card details stolen which have a potential value of about $17 million, currently card details are going for around 40, 45 dollars on darknet forums and various other places. So it's a very profitable and lucrative way of criminals or attackers to make money.
Ransomware and Cryptojacking
You've got ransomware and cryptojacking, popped this in here because it's a big topic in 2017 with the explosion in the price of cryptocurrencies there's a lot more cryptojacking where people would load software onto your systems and then look to encrypt data while only giving you the decryption key if you paid over some bitcoin. That's actually decreased a bit for probably about the first time in six or seven years, and that's down about 20% overall, but it's up for businesses. And largely that's due to the fall in cryptocurrency prices. But they're very low barrier to entry, very easy for attackers to deploy. So they're still quite popular as a quick and easy attack.
Malware and spearfishing
Then we've got malware and spearfishing, these will probably always be around. Spearfishing is extremely targeted attacks to try and infiltrate organizations. They'll use somebody to try to get primarily credentials off someone, so it might be an email that comes out asking you to go and reset your password for a system and it will take you to a page that looks exactly like a normal page, maybe a slightly different URL that is difficult to detect and get you to enter username and password, so they can input your details and the attackers can then come in using those credentials, to steal data or try and destroy data and destroy systems.
And DDoS, DDoS will probably never will go away, so we've got average attack sizes are increasing. There's been around a trebling in the average attack size from 2017 to 2018.
We've seen some of the largest attacks recently, there was an unknown end user who was attacked and it was something like a 1.3 terabit per second maximum attack size. Largely, this is because there are more botnets, cheap botnets that people can make use of. And that will be made of things like compromised cloud services and Internet of Things devices like your smart thermostat on your home CCTV camera that is maybe not patched or has weak credentials on it. And embedded devices which are sitting in cars and TVs and fridges and all of that kind of thing.
In addition to larger attack sizes we've got multi-vector attacks are increasing. So there's about 50% of attacks in Q4 were multi-vector using multiple DDoS attack methods. So things like reflection attacks, amplification attacks, combined together to increase the volume. And they also hide other attacks, so you have a DDoS and then there will be a layer 7 application attack hidden within there.
And interestingly, the most common days for DDoS are Saturday and Sunday between 4 p.m. and midnight. And they tend to tail off during the week- that's currently the trend, previously it's been the week days that have been highest, but currently it seems to be a Saturday and Sunday evenings.
A quick history of firewalls
So I'm sure most people know this, but it started off with first-generation firewalls- they were basically very simple packet filters, they compared basic information, so they would look at things like the source and destination of the packet, the port that it's using - whether that's 443, port 80, port 25 - or the protocol, so you would have things like we only allow TCP packets on port 80 through, so all DDP packets would be dropped. Very, very simple yes or no entry. So very much like a bouncer on the door of a club or a bar and they're literally just looking at IDs and seeing how big groups of people come through and everybody's ID has to be checked to let them through.
You've then got second-generation firewalls. For example, you might have heard of stateful firewalls- so that's looking at the connection state as well as the source or destination port being used and the protocols. The connection state would mean that if a packet was starting a connection it would then have all the checks done and be allowed through. If it was part of an existing connection then it would know that that's already been checked and it's part of an ongoing back-and-forth between server and user. Or it would be able to see if a packet is not involved in that connection at all and then that can be just dropped and blocked off. And then lastly we've got next-generation firewalls or third-generation firewalls.
What are next-generation firewalls?
Pretty much any new firewall you buy is going to be a next-generation firewall. So they're hardware or software, and they're capable of detecting attacks in a much more sophisticated way. They enforce security policies at the application and protocol layers. So they will typically look across all seven layers- maybe not layer one, but certainly the top layers of the OSI model. They're application protocol aware, they've usually got VPN support, they'll have services like IPS, anti-virus, anti-malware and identity awareness. They'll work in both bridged and routed modes, so you’ll be able to use them as a layer through a router and just bridge the connection through. And they're able to talk to external sources to gather threat intelligence, things like AV signature updates, malware updates.
Those aforementioned are the firewalls that most people are now deploying, some of them are IP tables which would be a stateful firewall around that second-generation level, and most Windows software firewalls, or something similar, will also be second-generation firewalls. Stuff like WatchGuard, Fortinet or SonicWall, typically are all next-generation firewalls.
How a firewall protects you
At its most basic level, firewalls are a filter between yourself and the internet, or your network and another part of the network. And they basically allow traffic through or block traffic, so that you can control what users are doing, what applications are talking to each other and what traffic flows are healthy. So the data that is sent or received by any device on your network will be TCP or UDP- TCP is easier to filter (I've got an example of a TCP header coming up) because they've got that information in the headers. So they'll have things like source and destination IP protocols, payload information, the sequence of the packet and it allows the firewall to do much more inspection on that traffic and have a much greater certainty whether it's matching a policy or a rule.
First-generation firewalls, stateless or packet filtering, will basically inspect each packet individually and won't look at the trends of traffic that are being received, whether it's part of an existing connection, just every single packet goes through the inspection every single time. A stateful firewall, or a second-generation firewall, does all the same stuff - so they'll look at packets, they'll inspect them against things like the protocols being used, the port that's being opened, the source IP - but they also consider that connection status, whether it's currently an open connection, whether it's a new connection, whether it's nothing to do with any existing connection.
And then with the application firewalls or the next-generation firewalls, they do everything that the other firewalls do but they also look at the content of the packet, and not just the headers. So they'll be able to do more the packet inspection look to see whether there's malware contained within the payload of that packet, or look to see if there are viruses in there or something else.
So to use that bouncer analogy you're looking at stateless or packet filtering firewalls just being a check of everyone's ID. For stateful firewalls, if you've got a big group of people coming through, they check the first person’s ID- everyone is in that group so everyone is then allowed through.
With next-generation firewalls- you're checking the ID, you're checking the group, but then you're also going through the bags of everyone, making sure they haven't got anything hidden in there, making sure they haven't got knives or drugs or anything they're trying to bring in.
TCP header- an example
So just to give a quick example of the TCP header so you can see the kind of stuff that's included in there, a lot of this isn't in UDP, so UDP is much harder to filter. You've got source and destination ports, you've got sequence number of packets so when it's on the receiving end the server or the client can go, okay this packet is out of order, and it knows how to recreate the data in the payload by the order in which the packet should be put together.
You've got things like checksums to make sure that there hasn't been any corruption. And then at the bottom you've got your payload, or data that's within that packet. And this is the bit that the next-generation firewalls can do much deeper inspection on and look into whether there is anything malicious within that packet.
So as we said, TCP packets, information such as source and destination addresses, packet sequence payload. And that information not only allows your network to deliver data properly to your end-users, or back to your servers, but it also gives the firewall the ability to re-compare that information against the information that's configured in the firewall rules.
UDP packets don't have that detail of information, so they can be filtered on port number, but you're a little bit more limited on more advanced filtering techniques.
Firewall rules, at a basic level, are designed to block or allow and filter specific ports. The usual setup is to connect to web server - you might open port 22 for SSH, port 80 and port 443 - and then leave everything else closed. Then if anyone tries to, for example, open a telnet connection or SMTD connection, the firewall's going look at that and see the port that that packet is trying to connect onto and just drop it, whereas anything trying to connect to your web servers on an SSL connection will be allowed through, because it's on a port that's open and allowed through.
You can also allow specific IP addresses, both on source and destination. So if you've got your SSH ports open you can set it so that only your office can connect to that port and it checks the source IP address against the white list for that particular rule. And if it's a packet coming in on port 22 from your office IP address it will be allowed straight through.
You can also drop traffic that fits a certain rule to a different port. So if you've got a number of internal gateways, say in your office or in your network, and then an external firewall, you can set it so that all traffic from those internal gateways only goes through port 443 or port 22. And that way you can control what your user is doing on your network if you've got policy rules that traffic must always be encrypted over certain ports and services.
As part of this we'll go through some of the elements which are important in managing a firewall, and then I'll go quickly through our Dimension service which gives you an overview of how we manage and monitor firewalls and some of the reports and stats you can get out of using our managed firewall service.
Having a firewall is great, but managing it properly is key. You can put a firewall in place and then manage it poorly and it's not really going to add anything to your security- if anything it can make it worse, because you take the view that, we've got the firewall there, so we're good. If you're not managing it correctly you're going to leave things like ports open that shouldn't be open, you're going to have conflicting rule sets, and you're probably not going to be reviewing your rules, so if you've turned an application off, you're then going to leave the rule open which then may expose other systems and data on your network.
So you need to deploy rules in a consistent way, and this goes down even to the naming of policies. You want to have all of your policies and all of the devices on your network named in a consistent way, otherwise you're going to be looking at a massive list of policies and rules all named differently, making it much harder to tell what rule is doing what and what might be conflicting with another rule.
And that then feeds into four or five basic tenants. For a lot of this, if you're in a 2701 certified organization, you need to be looking at this kind of stuff because firewall management is a really key part of 2701. Doing things like firewall rules reviews and proper firewall management is something that you get audited on.
So when you're deploying a new rule you want to make sure it's not compromising another rule. So if you've got a rule locking down a Web server on one particular firewall and then you deploy another rule which happens to open that Web server up through a different IP address or a different network or VPN connection, you then need to check that and make sure that’s something you're comfortable with, or something you want to stop because you could potentially undo protection you put in place elsewhere.
You should always have new rules being authorized, so whoever is requesting the rule should state why they need the rule open, and potentially how long they need it open for, and that can feed into the rules review process where you're going through looking at people who have requested rules, or applications that have requested rules and whether they need to be removed or changed.
And when a rule is no longer required it should be removed as soon as possible. If you've got a rule that's opening services into your network and it's not needed to be there you've basically got a hole into your network that you could close. And you should really be following a proper change management process when you deploy firewall configuration and your rules into the network. That just ensures that you're following this process and you're checking that they're not compromising, you're checking that they're authorized, you're deploying them in a consistent way, they're properly named, they've been recorded somewhere.
And another big area is VPN connections. So VPN connections will generally open your internal network up to an external network, or to an external client. So you should ensure that they're properly locked down, that they're properly authorized. You can put in place firewall rules between your network and VPN connections so that if you've got, for example, an external organization you work with and need to VPN into your systems, they've only got access to the VLAN or the networks those systems run on and the traffic between your network and that VPN connection is properly secured with the proper firewalls in place.
Potentially using things like gateway antivirus on there, or at the very least having rule sets so that only the ports and services that need to be accessed can be accessed. You should be removing VPNs when they're no longer in place- if that organization you don't work with any more, part of stopping to work with that organization, or if an employee leaves, should be looking to remove their VPN access into your network, and that should be part of your supplier policy management, new supplier processes, or part of your leavers process.
And then you should have a strong approval process for the creation of new VPNs. So they need to be requested properly. If they're part of a joiners process, someone needs to approve that and there needs to be a reason why that user needs VPN access into your network.
And deploying things like two-factor authentication or multifactor authentication onto the actual connection of those VPNs it is generally a good idea because it removes the reliance on just the username and password.
This is another crucial part of maintaining a secure environment, as well as the management. The ability to monitor firewalls allows you to basically see any potential intrusion attempts before they happen. You get real-time visibility of attacks, traffic patterns, you can see blocked intrusion attempts and that really gives you an early warning as to what's going on in your network and it really also allows you to see if there is potentially anything that's been left open.
So if you're regularly monitoring your firewall logs and if you're regularly monitoring some of the analytics you can get out through a service like ours, or if our engineers are monitoring it for you, then you might be able to see that and say ‘hang on a minute, we're getting traffic in on this particular policy which is related to a service that we discontinued two weeks ago- we need to close that down’. And again, going back to that 2701 piece, doing things like blog reviews on firewalls and being aware of the activity that's going on in your firewalls is another key element that you will be audited on.
With 4D, we include a service called Dimensions, which is basically a full firewall monitoring tool and it does threat analysis, will let you produce PDF reports to be used internally, you get executive summaries on the activity that's going on in your firewalls, so you can really just drill right down into what's happening and what's going on and get a good sense of how well your firewall is running.
Overview of the Dimensions system (as seen in video)
I’ll just switch over to that now so we can show you- here we have the WatchGuard dashboard. So this is called Dimensions and this is a tool that we deploy for every managed firewall we set up. And it really gives our engineers really good visibility on what's going on within your firewall, within your network, and also, you can log into this and run reports at any time and see what's happening with your systems.
So we'll run through this quickly, this is one of our internal firewalls. I don't think there will be anything too sensitive on here, but we won't spent too long. We've got on the main dashboard, top clients, top destinations, top protocols. So you can see who's doing the most talking within your network, where most of that traffic is going to, and what most of that traffic looks like.
You can drill down into these, so you can look at the TCP traffic and within TCP traffic you can see who the top talkers on your network are for TCP connections. And you see we've got one here that's doing about 3 GB of data, and then we've got ‘Destination IP’ over here that's doing not that much.
We've then got some other services through here, so we've got a security dashboard which goes into some of the blocked attempts, and things that the firewall has protected you against. So we've got blocked botnet, blocked clients, blocked destinations and blocked protocols. And we can drill down into some of these and see some detail as to what particular source and destination were being used for that particular blocked traffic.
This is all quite useful just as an overview- maybe review it once a month. It just gives you a highlight as to what activity is going on within your network, and our engineers will be watching this and we get alerts of data in here. It's using pre-set rules so that we can react to events within your network.
We've also got things like threat map where you can see a really nice little map of where most of the attacks and threats to your network are coming from. Quite often from Russian or China, quite high in here, they are a large source of automated scans, botnet attacks and malware attacks. And again, you can drill down into seeing what IP addresses in a country are trying to attack you, what ports and protocols they're using and how many hits there.
And we monitor all this information. We've got some interesting stuff for firewall management with things like policy audit map. We can see the various policies running on the firewall, how many connections are actually using that particular policy, and you can see the way the connection flows through coming in on internal policy, and then getting handled coming in an external interface, getting handled by a policy, and then what happens with it, whether it's allowed through, whether it's denied or whether it goes out on one particular network. And you can drill down into some of those as well and see individual connections that are matching to particular interfaces or to particular policies.
We've also got FireWatch which is a nice graphical representation of the traffic that is running through your network. A large square is being shown as large amounts of traffic, large amounts of connections, and smaller squares for smaller amounts. And you can run through this on source destination protocols applications that are in use, domains that you're trying to talk to.
And then just to round us off, log manager- this is again really good for meeting some of your audit requirements. This is where we log events that are occurring on your firewall, you'll be able to see what happened with the policy, what interface it came in on, what the destinations were, what the ports were and what protocols were in use. Plus, you can drill down into things like diagnostic events, various statistics for traffic and other bits and pieces running on the firewall.
So that's really an overview of the Dimension system- you get access to that and it's one of the elements that our network engineers and security people use for managing the systems.
Webinar poll results:
How much knowledge does your networking/IT team have about the function of firewalls?
How regularly do you review your office firewall configuration?
Looking at our poll results of how regularly you view your office firewall connections, it looks pretty even between ‘every year’ and ‘monthly’. Monthly is pretty good. For those saying, ‘Every year’ you might want to look at it a bit more often, but certainly it's better than not doing it at all.
What 4D offers on managed firewalls
We're based on the WatchGuard next-generation firewall technology. As part of that you get the full Total Security suite, so that's intrusion prevention and detection, antivirus, anti-malware and web blocker with your own content filtering application layer controls. The AV has some machine learning built into it which they call ‘AI’ – this is machine learning.
For zero-day malware protection, that will be looking at threat profiles which have occurred across other Watchguard devices, and then updating the signatures to make sure you're protected against those threats. And it also offers DNS protection so you don't get DNS hijack attacks.
The firewall is fully managed by 4D network and security teams- we do 24/7 firewall monitoring, so part of that is through Dimensions, part of that is through some of our other tools such as OpsView. You get full traffic visibility through Dimensions, we give you log reporting and threat identification. We'll put together reports for you if needed on activity on the firewall and you can go through and look at that any time you need as well.
We'll handle rule changes to ensure that they are implemented in a consistent way and they'll be implemented by our engineers on the network and security teams. Rules will be logged, being done through tickets going through a change and control process and we'll make sure that everything is properly managed and monitored.
And then you get support from 4D engineers- so that will be diagnosing issues with your traffic, suspicious activity on your network, looking at your firewall configuration, how you're looking to deploy applications and working with you to come up the best security profile we can put together for you.
What do you think is going to be the biggest challenge in cyber security over the next 12 to 18 months?
It's a good question. I think we'll probably see more sophisticated attacks coming out. I think we probably haven't seen the end of things like the large database compromises for things like Experian and Capital One that happened recently.
There will probably be an increase in insecure cloud resources, where things like S3 buckets left password unprotected. Insecure S3 buckets and that kind of thing are going to be quite a big threat. There is a lot of data held in publicly accessible S3 buckets and Azure Blobs that haven't been properly secured and they're quite easy to publicly scan.
And also ’live off the land’ style attacks, where attacks are hidden within legitimate processes. So things like Powershell scripts that have got malicious code written into them are quite a good way for an attacker to stay within a system and be undetected for a long period of time. So I think we'll probably see an increase in those. I expect we haven't seen the last of large data breaches.
Can your devices scan encrypted traffic? I.e. man in the middle?
We can do scanning of encrypted traffic, that's more on our DDoS service, but it's possible on the firewalls as well. And it would require you to load your encryption keys or your SSL certificates onto the device so that it can decrypt that packet and see what's inside the payload information, otherwise it would just literally be a case of looking at the headers, and you'd be able to block it on whatever information is available in the header. If you wanted more of that deep packet inspection, antivirus, anti-malware stuff, you need to have the keys loaded onto the device so that when the device receives the traffic, it can decrypt it, do a proper inspection of the payload, re-encrypt it and then deliver it to your particular server or end-user.
Do firewalls bring about a reduction in ransomware threats?
They should do if they're properly configured and you've got the proper security services deployed. Ransomware is typically delivered through things like a file that is downloaded maliciously off a website that's posing to be a legitimate website. Or someone receiving an email with some sort of attachment in it that they then open and run, or maybe a compromised Word or Excel file with some macros in it. And they're all things that the next-generation firewall, with application protection in it, can protect against.
On the Dimensions system you can look at the blocked antivirus threats and you can see which viruses and what bits of malware have been blocked through the firewall before they even get to your network and if you combine that with content filtering, web proxying, you can block access to known ransomware and malware sites, so that if you accidentally clicked on a link or if your server is trying to access that particular domain it gets blocked at the firewall level, it can't actually get there to download it. Similarly with access to command and control servers. So if you do happen to have some ransomware that's made it through onto your systems, you hopefully block the connection out of command and control so that that ransomware can't be controlled remotely. And then also your endpoint antivirus then has a chance to pick it up as well. But they certainly do help with bringing in a reduction.
Do you think cloud-based applications will be more secure or more vulnerable than in-house hosted servers?
That's a debate. That really comes down to how well you configure them, so an insecure cloud application or a poorly configured cloud application is not going to be as secure as a properly configured in-house hosted server. You do have the advantage with maybe something like a CRM such as Salesforce- that is all they do so they should be properly configuring and securing their backend, but that still doesn't prevent a user from using an insecure password for the administrator, or opening an API and not properly securing it. So it comes down a lot to how well you configure it.
I would say that if you have a hosted server that you run and control, again, as long as you properly configured and secured it, there's no reason that it won't be secure. But you have the advantage that you know how that config is done on the back end, you know how it's deployed and you know how it's set up, whereas maybe with some of the cloud services you have a lot more trust that they have actually done that the way that they said they have done it and not made mistakes.
So I think to answer your question without really answering it, they're both as secure as each other depending upon if you deploy them properly. If you don't have the skills in-house to properly deploy an application and secure it, on balance, a cloud-hosted application is probably going to be a bit more secure, as long as you do things like two-factor authentication and strong passwords. But if you do have the skills, a properly deployed in-house application that's well-managed will also be secure. You're also probably less of a target than say Salesforce or Azure on Amazon, as people are constantly trying to get into them. If you're a smaller organization, it’s less likely you will be the subject of a target, where you might be compromised because someone else is compromised.
What else does 4D offer?
Some of the other stuff we do is colocation out of Gatwick and Byfleet, so we do that up to 21 kilowatts in Gatwick. We do public cloud which is based on KBM and OnApp, and that's again split across Byfleet and Gatwick. And we also do managed private clouds, which are Hyper-V based, and various network services. So we're offering transit DDoS protection and the cyber security range of products."
To get more information about managed firewalls, or any of the above, you can get in touch with our experts.