Enhancing the Firewall
CYBERATTACKS GROW MORE DIFFICULT TO DEFEAT EACH YEAR. Using multifaceted, sometimes highly tailored methods, attackers can frequently enter networks undetected. Operation Aurora, for example, penetrated Google and more than 100 other organizations. Earlier this year, a botnet named Kneber was discovered and said to have affected more than 75,000 machines in approximately 2,500 global organizations.
These attacks show how inadequate traditional defenses are. Makers of protective systems are working hard to remedy the situation.
One approach is to make firewalls, which have traditionally focused on port and protocol traffic, more centered on application-layer protection. That addresses the problem with protecting ports, which is that many malicious programs and applications can mask themselves within regular network traffic, says John Pescatore, a Gartner Research vice president. They can hide within encryption or hop among multiple ports. Application-layer protection uses technology, including decryption, application signatures, and heuristic analysis, to analyze “packets” within applications.
Newer firewalls are also offering numerous security features, such as intrusion prevention systems (IPS), Web surfing policy management, and network traffic shaping, in a single device. One vendor that has been at the forefront of such developments is Palo Alto Networks (PA), founded in 2007. The company has been “market-leading,” says Pescatore. Competing vendors have been quickly following suit, “forced to change road maps and sell defensively.”
Two organizations implementing PA’s technology include Texas A&M University at Galveston and Philadelphia-based Peirce College.
Universities face some unique security challenges, says John Kovacevich, systems analyst at Texas A&M University at Galveston. Many have a large number of computers and other devices accessing the network, and that can be especially challenging for security staff to control. Another challenge is that people connect from so many kinds of machines from inside and outside of the network, he says.
Before the upgrade, the university had a firewall and an intrusion prevention system (IPS), Kovacevich says. These systems would generate alerts about possible attacks, he says, but many were hard to verify. Neither system provided a strong audit trail of what had happened. Kovacevich needed a way to better monitor and respond to network threats.
The university’s primary immediate reason for needing a new device at the edge of its network was a pending increase in network capacity, which was approximately doubling to 1 gigabyte per second. Kovacevich was mainly interested in a traffic-management device (called traffic-shaping), he says. This device could be used to limit bandwidth usage and prioritize applications, such as video conferencing, he says.
The choice. Kovacevich started his search looking mainly at traffic-shaping devices. Many seemed expensive, he says. He then considered replacing the existing firewall with one from PA, which seemed to have strong traffic-shaping functionality. PA also offered application-layer protection and additional security features.
Moreover, the device appeared user-friendly and an overall “great value.” Its broad functionality, more than its firewall, was what made it attractive.
PA provided Kovacevich with a demonstration device, which he placed on one part of the university network that was the connection point for the library. He then ran the device in passive mode; the firewall logged but did not block traffic. Kovacevich was impressed with the device’s potential for helping the university control bandwidth, prioritize application traffic, and detect many types of threats. He agreed to purchase a PA-2050 firewall from Palo Alto.
Implementation. Device implementation was relatively easy, given Kovacevich’s experience with the device in the passive test phase. In addition, PA provided good technical support.
A first step was telling PA how many virtual local area networks (VLANS), or network segments, the university wanted to monitor. Kovacevich decided he wanted to separately monitor each residence hall in addition to the network as a whole.
The PA firewall he purchased came with 20 interfaces. Each hall would use two interfaces, one to monitor and control incoming traffic and another to do so for outgoing traffic. This set up would let Kovacevich “double filter” residence hall and network traffic, he says. He did not feel university-owned computers needed such protection, as they could be secured and controlled through a variety of other means.
Each interface was assigned an IP address, Kovacevich says. He could then bring up individual Web pages to set each interface’s controls. Tabs across the top of each page could be clicked on to set preferences in areas such as bandwidth allotment, application prioritization, and security controls.
Kovacevich turned on many of PA’s basic protection features, which could alert administrators to threats ranging from viruses to denial-of-service attacks to suspicious traffic behavior. He also chose to turn on some of the more granular protections provided, including monitoring traffic and having the system set to send an alert if it detected an unusually large number of transmitted credit card numbers. “We’re not an e-commerce company, so that would raise a red flag,” he explains.
Users can also adjust system sensitivity, helping control when suspicious activity might simply trigger an alert and when it might also automatically block the traffic.
Threat protection rules were fairly uniform among both the residential halls and the overall network, Kovacevich says. The main differences concerned bandwidth allotment. He has provided the halls with about one-third as much incoming and outgoing network capacity as the rest of the network. The system also allowed the university to rank categories of applications, which Kovacevich did, placing programs such as video conferencing first in line when competing against other kinds of traffic.
Device management. Kovacevich says he particularly likes the way the system presents and aggregates data. The main, Web-based screen, called Panorama by the vendor, provides summary data including the top five current cyber threats to the network. An overall threat level, from 1 to 5, is also presented. For a while, Kovacevich used a projector to display the main screen on a data center wall.
The main page also provides a longer list of attacks that have been blocked. Administrators can click on individual attacks and see a description of their danger level. Information, including the threat’s originating and destination IP address, is presented. Recently, for example, the screen showed how a botnet, called Mariposa, had been repeatedly blocked when attempting to access parts of the network.
When an attack is blocked, or suspicious activity is detected, the system produces an alert. Most of the time, the system runs independently, Kovacevich says. At other times, IT staff take action. Sometimes one server or computer might make unusual connections to another machine in or outside of the network, for example, which can sometimes indicate a virus or botnet infection, he says.
Depending on the activity noticed, Kovacevich might look at network logs for patterns. He might look to see whether the source of traffic is trusted, for example. Using the system’s search functionality, he can glean more information about the frequency and direction of communications between machines.
Sometimes Kovacevich temporarily blocks an IP address. He may then examine and possibly try to clean a potentially infected computer or server. On some occasions, he has provided the helpdesk with a list of potentially infected student computers. Staff will then seek out the owners and offer to clean the device of any infections. IT staff cleaned a particularly high number of machines that were infected from the widely spread Conficker worm. The IT department typically sees the most infected computers in the fall semester when students first arrive. As the year progresses, the situation improves.
Kovacevich says the university has been able to detect more suspicious behavior with the device. He can also understand and investigate possible threats more quickly.
The system’s ability to handle and prioritize bandwidth has also been impressive, he says. The system has “really good” throughput, and the IT department has yet to receive a complaint on Internet speed.
Farther ahead. Kovacevich is in the early stages of integrating different university directories with the firewall. PA says it integrates with Active Directory and many other common identity management platforms. The goal, says Kovacevich, is to unify access to any part of the network, from e-mail to other systems, with a single user name and password. He hopes it will improve network access tracking and simplify the network access permissions process.
Though the PA device is considered a firewall, Kovacevich has yet to implement the firewall functionality. “I’m pretty used to the old one, which works pretty well,” he says, but the firewall will likely be implemented “in the near future.”
Peirce College, located in Philadelphia, is a private four-year institution whose student body is mostly adults already in the business world. It offers online classes and also has a campus with state-of-the-art computer labs. One thing that was not state-of-the-art, however, was the firewall, which had reached the end of its useful life, says Chris Duffy, CIO.
Before it was upgraded, the existing firewall, combined with a standalone intrusion protection system (IPS), could produce alerts, but they were not accompanied by useful data about the incident. That made it difficult to do further research on suspicious activity.
Even without details, however, it was clear that attacks on the network were becoming more complex and, therefore, more of a threat. Duffy wanted to upgrade to application-layer protection. He knew such protection could be a more cost-effective and responsive way to manage network activity, he says. He also wanted a system that could provide more detailed threat and activity reports, and he was looking for a device that would be easier to manage.
To help find an appropriate product, the college, in mid-2008, hired an outside consulting firm. After some research, the firm suggested three main firewall candidates. Of the three, Duffy says, PA’s interface appeared the most intuitive, and he was impressed with the device’s range of functions. The system that was ultimately selected was a PA-4000 Series firewall, which had strong Internet policy management capabilities.
Duffy and his colleagues had been spending considerable time “policing” Web usage, he says. He and other staff found themselves needing to share reports on inappropriate Web surfing with human resources and other administrators. An outside security service would block sites, but it was unable to keep pace with all the sites that the college’s administration found objectionable.
Implementation. Setting up the firewall was relatively simple, says Duffy. It mainly required transferring rules from the old device and testing new functions. He was impressed with the ease of transition, he says. “It basically involved checking boxes and hitting a radio button” in a Web-based console. Setting up the Web policy function was simple as well, he says, also involving checking boxes in order to classify certain types of Web sites.
Superior monitoring. The new Web surfing policy management is a dramatic improvement, he says.
Duffy says he knew a major change had occurred when, shortly after implementation, he and a colleague conducted a test, typing the word “porn” into Google. They could click on any result, he says, and a message would pop up warning surfers that they could be violating Internet policy. It also told them to contact the helpdesk with any questions or if they felt the site should be made accessible.
The IT department could also see such alerts and simply block sites when required. In cases where a site needs to be accessed, says Duffy, he can use the new software to open it “in a matter of minutes.” He no longer has to be the one who gives bad news about employee behavior to human resources, because the behavior is prevented.
In addition to any general policy reasons for not wanting those sites accessed via the college network and computers, keeping students away from inappropriate sites also helps computers and the network stay free of malware and other threats, Duffy says.
Data. Since installing PA’s firewall and integrated IPS, Duffy says his department has gained far greater and timelier data about threats. He can see many attacks in real-time, he says, and quickly mitigate certain risks by, for example, blocking a range of IP addresses “in seconds.”
The system’s best attribute may be its manageability, according to Duffy. “It’s intuitive and quick to ramp up,” he says.
Duffy says that his goal was to make the new firewall part of a routine. “If you have a firewall that’s difficult to use and requires a lot of care and feeding, it could take away resources that could be more valuable elsewhere,” he notes.
Duffy’s only complaint is that the system could improve the reports it provides. The vendor says it offers more than 30 pre-defined reports. But many could be more in-depth and user-friendly, he says.
“Hypothetically, Chris Duffy may be doing some Web browsing, and management might like to know what he’s doing,” he says. But the reports can make it difficult to gain such details, he says.
Instead of allowing an IT administrator to view a report and click on links to bring up a Web page, for example, the system requires that staff cut and paste individual Web addresses into a new browser.
While this product from PA is one of the newer kids on the block in terms of competing firewalls, Gartner finds that many clients have reported positive experiences, as was the case with these two institutions. Whether it’s a firewall from this provider or another, however, the clear trend is for organizations to demand more security features integrated into their perimeter defense application.
John Wagley is an associate editor at Security Management.