For Security to Succeed We Need More Silo-busting




In my role as editor-in-chief of DevOps.com I hear, read and write a lot about the need for all of the various constituents of IT to work more closely together. As such, I’m always happy to hear about a company’s efforts at silo-busting. So when I saw Javvid Malik’s report (can we give link) on FireMon’s new Policy Optimizer and its ability to bust down silos, I’ll admit it brought a smile to my face.silos

Malik’s report talks about Policy Optimizer breaking down existing silos across different sectors of IT in determining what firewall rules are either out of date, no longer necessary or even  security risks. Much of this silo busting is accomplished via automation. Again, this is music to a DevOps advocate’s ears.

Why is all of this silo busting and automation so important? The short, real world answer is that today’s speed of business will accept nothing less. A more detailed answer is in a world:

  • where changes – including changes to code – happen multiple times a day,
  • where “web-scale IT” measures servers and instances in the tens of thousands
  • where security must keep up or be left behind,
  • where automation and working closely with developers, operations and QA is no longer an option, but a necessity

Breaking down silos is a key ingredient in success.

I’ve been hearing that we need security to be “built in, not bolted on” almost since I first became involved in the security industry over 15 years ago; that security needs a seat at the IT table.  Policy Optimizer is just the kind of solution that fulfills this specific need. It provides the means for security to work with the rest of the IT team in a way that makes sense and allows business to move forward with the velocity it needs.

Now before we declare “mission accomplished”, let’s not get ahead of ourselves. We still have a long way to go to better integrate security into IT and truly bust down the involved silos. We need developers to have a greater sense of ownership when developing secure applications. Just thinking firewalls for a second, it would be great if developers gave some thought as to who, when and what types of access users will require when building an application. Giving developers a say in setting firewall rules, for instance, makes sense.

Beyond the development team, how about working closer with the Ops folks too? Who knows the network better? Far too often the Ops team resides in a different silo than security teams and they thereby seem to work at loggerheads.

Again, this is why I like tools like FireMon’s Policy Optimizer and Risk Analyzer. They give Ops insight into security decisions and policies.  Ops shouldn’t feel that security and risk strategies are devised using black magic. Shining a light on why security decisions are made, giving Ops input into the process is how you get buy in, how you really break down silos. Most importantly how we can tangibly change our security posture for the better.

For some organizations this is still a very alien concept. Security teams are almost thought of as audit teams and are purposely set apart from the rest of IT. To me, this perpetuates a culture of failure around security. All you have to do is glance at the headlines on a regular basis to see that the old way of separate security teams is not working. We need new, more effective solutions. These solutions have to take into account the new way of business. Megatrends like Big Data, the cloud and mobility have fundamentally changed the equation for many businesses. If security is to be relevant, it must adapt and evolve.

For me, breaking down the silos around the security team sounds the death knell of standalone security teams. I look forward to the day when instead of having a standalone security team, everyone in the IT department is part of the security team.  I don’t know if that will happen in my lifetime, but every step along the way, such as Policy Optimizer, is a step in the right direction.

As EShimelditor-in-chief of DevOps.com, a regular contributor to Network World, manager of the Security Bloggers Network and Chief Executive Officer at The CISO Group, Alan Shimel is attuned to the world of technology, particularly cloud, security and open source. Prior to his current positions, Alan was the co-founder and Chief Strategy Officer at StillSecure. Shimel is an often-cited personality in the security and technology community and is a sought-after speaker at industry and government conferences and events.

Gartner Guidance: No Farewell to Firewalls




Every so often someone in our fair industry suggests that the long-tenured presence of the firewall is no longer a necessity – typically based on the emergence of some emerging solution, or the notion that this most-mature of network defenses is no longer sufficiently capable.

However, if you listen to the experts – in this case leading industry analysts Gartner – such observations are clearly misguided, at best.
At the firm’s recent industry convocation in Washington – the annual Gartner Security & Risk Management Summit – nearly every session clearly
reinforced that firewalls, and more effective management thereof, are just as critical, if not more so, than ever.

From the summit’s opening keynote – which stressed the need for CSOs and other security officials to tie their efforts directly to overriding business initiatives (a core benefit of FireMon’s recently launched Policy Optimizer module) – to breakouts dedicated specifically to network security, the importance of retaining and improving stout firewall defenses was driven home quite emphatically.

Sure, there was the annual “Farewell to Firewalls” presentation in which Gartner’s forward-looking thought leader Dr. Joseph Feiman espoused the need for new applications-centric mechanisms (specifically embedded runtime application self-protection [RASP] capabilities).

But, as artfully advanced by Gartner network security guru Greg Young during the session and ultimately conceded by Feiman himself, even the continued development and adoption of such emerging technologies will require a continued and significant reliance on firewalls.

In other thought leadership-type presentations, in particular longtime Gartner risk expert Neil MacDonald’s session on “Continuous Advanced Threat Protection”, the pressing need for more proactive and context-aware management of network security infrastructure was further hammered home.

MacDonald’s call for “Adaptive Security Architecture” emphasized the need for strategy to shift away from traditional “detection” and “response” methodologies to focus on more “predictive” and “preventative” tactics. These observations absolutely validate FireMon’s own adherence to network security management grounded squarely in real-time, proactive intelligence.

And if all those points weren’t enough to cement the tremendous need for continued maturation of firewalls and other security device infrastructure, one needed to look no further than network security analyst Adam Hils’ overview of inquiries filed by Gartner’s own clients over the first half of 2014.

The hard numbers bear out the reality that firewalls remain of huge import and concern to organizations of all sizes and industries in today’s environment – with a whopping 51 percent of all network security inquiries, over 1500 interactions in total, relating directly to questions regarding firewalls (and less than 10 percent of those focused on so-called next generation firewalls at that!). The closest contender in terms of volume were calls related to IPS technologies, at only 22 percent).

So, there’s a good deal of evidence that any predictions that firewall solutions are either yesterday’s news or increasingly less strategic are… highly overstated; the Gartner numbers simply don’t lie.

We speak to all these Gartner analysts frequently and they understand precisely how valuable FireMon solutions can be in advancing your organization’s own network security interests. So why take our word for it – give them a call and find out for yourself.

Building The Fire 2014




FireMon celebrated an amazing 2013 as noted in our recent press release. The company also held it’s Global Sales Kickoff in mid-January, the theme of which was Building the Fire 2014. I thought I would share a couple of observations from the event with our blog readers.

First, the growth of FireMon was phenomenal to see! When I joined the company in August of 2011, I was the 21st employee at FireMon. Having the honor and privilege of being the emcee for the kickoff, I found myself looking out at 103 other FireMon employees on the first morning of kickoff. There was a palpable sense that the company was truly about to explode as our President & CTO Jody Brazil shared the explosive growth numbers that we experienced in 2013. This was reinforced throughout the kickoff as all divisions discussed the growth experienced both in sales, technology enhancements and in employees within each division.

Secondly, the future direction of FireMon was exciting to see. The product roadmap and vision for 2014 was laid out for the company, and the continued focus on real-time, proactive Security Intelligence reinforced FireMon’s market-leading focus on security management and risk analysis. A number of new and exciting technologies and enhancements will be rolling out throughout 2014 within the FireMon Security Platform, and we are excited to share these with you as they come out.

Finally, the amazing culture of fun and teamwork that FireMon has built over the years was on display throughout the event. The FireMon Band, G Fish & Special Sauce, made their debut performance on the first night of the kickoff. The diverse talents of employees from Sales, Development and Executive Management were on display, accompanied by sing alongs and dancing from the entire company. A small sampling of the band is below:

The second night featured phenomenal food and fellowship while enjoying two Kansas City landmarks as the team dined on the world famous Fiorella’s Jack Stack BBQ at Boulevard Brewing Company.

FireMon is on a phenominal growth curve. We entered 2014 with 56 open positions around the world. While we have filled a number of them, there are still openings available. If you would like to be a part of a fun, dynamic, winning culture on the cutting edge of Security Intelligence, we invite you to join us as we Build The Fire in 2014.

 

Prevent IP Address Spoofing




Prevent IP Address Spoofing

“Things are not always what they seem; the first appearance deceives many”. Phaedrus.

IP Address Spoofing is sometimes referred to as IP Address Forgery, and as the name suggests it’s a technique commonly used by hackers to perform malicious activities, such as Man in the Middle (MiTM), Denial of Service (DoS) and Dedicated Denial of Service (DDoS) attacks. It is generally used to maintain anonymity and cause havoc on the Internet.

To first understand what IP Address Spoofing is; and how it is used, we need to have an appreciation of the underlying protocol(s) that open the door for manipulation. Which essentially is IP, TCP and UDP and the ability to manipulate the packet header information (source address field).

Current State and Attacks

In an age of Botnets where an attacker has a layer of abstraction behind a command and control server, some people think that IP Address Spoofing is no longer an issue. When in fact the reality is the opposite, IP Address Spoofing remains a real problem to defend against. In some cases, IP Address Spoofing is necessary for an attacks success, where it provides an additional layer of anonymity and protection for a botnet (see DNS DDoS Amplification Attack).

So, due to the inherent ability to manipulate a packets header in the protocol stack is where the ability to perform malicious attacks such as:

MiTM – Where a malicious user intercepts a legitimate communication between two parties. The injected, malicious host then controls the transmission flow and can eliminate or alter the information within the data stream without the knowledge of the original sender or recipient. In this scenario, the attacker fools the victim into disclosing confidential information by “spoofing” the original sender’s address / identity.

DoS / DDoS – Since some malicious users are only concerned with consuming resources and bandwidth, they attempt to “flood” the victim network with large volumes of traffic to consume system resources. In order to maintain the effectiveness of the attack, the attacker will “spoof” the source IP addresses to make stopping and tracing of the attack as difficult as possible. This is amplified when multiple compromised hosts all have “spoofed” addresses and are participating in the attack.

Defence Mechanisms

What can you do to defend against IP Address Spoofing attacks?

Firstly, ensure that your firewall and routers are configured correctly and restrict the advance of forged traffic from the internet. For many years now firewall vendors have included a configurable anti-spoofing defence mechanism to block the use of private (RFC 1918) addresses on the external interface. In addition, the external (internet facing) interface should not accept any addresses that are used in the internal network range as the source. You should also prevent source addresses from outside of your valid public network range, which will prevent any of your neighbour’s from sending spoofed traffic to the Internet.

As an example, if the attacker sits within the 203.42.5.0/24 network range that is provided Internet connectivity by ISP D. An input traffic filter on the ingress link of router 2 (which provides internet connectivity to the attacker’s network) restricts traffic to allow only traffic that originates from the source addresses within the 203.42.5.0/24 network prefix and prohibits the attacker from using any “invalid” source addresses that reside out of the prefixed range.

A second preventative mechanism is to implement authentication and encryption to reduce the likelihood of threat. IPv6 implements both of these features.
ISP-Router-Example
How can FireMon Help?

IP Address Spoofing is a difficult problem since its inherent weakness is due to the design of the protocol suite. However, understanding how and why one would use a spoofing attack can greatly increase your chances of successfully defending an attack. Using Security Manager, FireMon provide the ability to perform a regular assessment of your firewall and its configuration against best of breed configuration practices. Security Manager includes a number of pre-built compliance reports that will save your security administrators valuable time and effort and assist your organisation to quickly find misconfigurations, the implementation of risky services and unused rules that could expose your network to attack.

A quick glance at the Firewall Configuration Best Practices report can provide your security managers with the detailed information needed to appropriately manage your organisations security on a regular basis.

Dashboard Review

Each configuration check that Security Manager is able to perform can be drilled into by clicking the item to show more detail.

Configuration Checks

Don’t be fooled by a masquerading IP; contact a Firemon representative today for a demonstration of Security Manager and how we can help your organisation and prevent your systems from being spoofed.

For Seahawks, Super Bowl Hinges on Predictive Defense




For Seattle Seahawks Cornerback Richard Sherman and his defensive teammates, stopping Quarterback Peyton Manning and the vaunted Denver Broncos offense will clearly be the deciding factor if they are to win Super Bowl XLVIII on Sunday.

superbowl

Not to discredit Seattle Quarterback Russell Wilson and the Seahawks’ offense, or to dismiss Denver Cornerback Champ Bailey and the Broncos’ defense, but even the casual observer has to assume that the game will likely come down to the matchup between Manning, Sherman et al.

After all, Manning, a first ballot Hall of Fame quarterback in his own right, has led an offensive assault that achieved nothing less than breaking the NFL single season scoring record. Across the field, it has been the Seattle defense, led by shutdown corner Sherman, which has carried Seattle into the NFL season finale.

How can Seattle hope to achieve such a task? One can easily compare the challenge facing the Seahawks’ defenders to the grueling task tackled each day by enterprise IT practitioners in attempting to stop today’s avalanche of malware threats.

To break it down, Seattle’s coaching staff and players can enlist a few basic tactics in trying to stave off the Broncos’ offensive onslaught including:

• Reviewing game tape to isolate and prepare for Denver’s tendencies.
• Creating an innovative game plan to deter the Broncos’ offense.
• Reading and reacting during the game as effectively as they can.

The same can be said of enterprise security and IT risk management experts in attempting to stave off attacks via methods including:

• Reviewing network security controls to isolate potential weaknesses.
• Creating an innovative security/risk management strategy to deter attacks.
• Monitoring and best responding to current conditions and threats.

To create the strongest likelihood of success, NFL teams invest massive resources in the best available players, coaches and multimedia equipment – even computer modelling applications that model all possible conditions (think “Moneyball”).

Enterprise organizations similarly recruit leading IT security management and operational pros, and certainly invest as much if not more than their NFL counterparts on solutions aimed at best preparing against any potential attacks.

Yet, much as even the most efficient NFL defenses can be vanquished, today’s headlines still carry news of massive security failures such as the recent Target breach.

So what cutting-edge cyber-security Moneyball sabermetrics can today’s enterprises employ to try to outwit and outlast the league of threats they face?

As our President and Founder Jody Brasil highlighted in his blog reviewing the Target breach and attack escalation, FireMon Security Manager platform represents a totally unique and unparalleled capability to maintain visibility into the current state of network defenses to stop today’s real-world malware campaigns.

In addition to providing critical, real-time game film to understand and improve potential gaps in defense, Security Manager also identifies all the possible “attack paths” available across the network and surfaces the real-world exposure of any underlying vulnerabilities, as well as automating security policy management.

Consider that no NFL defense will always make the first tackle or defense every pass before it’s caught, plays must be stopped downfield more often than not.

Likewise, coaches must drill players on how to react once a play has breached the defensive line, small gains must be prevented from becoming big plays.

And, before the ball is ever snapped, coaches must align players in the most strategic formations possible, constantly adjusting alignment to address offensive maneuvers.

At the end of the day, whether you’re Seahawks’ Head Coach Pete Carroll or one of today’s enterprise IT security practitioners you have to prepare as relentlessly as possible and best configure your defense to make the big plays on game day.

Much like Peyton and his orange-clad teammates, today’s attackers are hungry for their next big score.

Play to win; take a closer look at FireMon Security Manager platform today, and upgrade network security and IT risk management to Super Bowl level.

Identify and Remove Redundant and Hidden Rules




Firewall policies are complex. The networks they are implemented to protect are complex. The last thing you need to deal with is extra, unnecessary complexity. Redundant rules are exactly that. They obscure the rules that are actually needed control traffic through the firewall. Redundant rules represent a tremendous opportunity to clean up a firewall policy because removal of these rules is guaranteed to have no impact on the behavior of the firewall policy. But removing them will improve both the performance of the firewall and the performance of the administrators responsible for managing the firewall policy.

What is a Redundant Rule?

Firewall policies are comprised of a list of rules that are processed in order. When a data packet arrives at the firewall, the firewall attempts to match it to a rule in the policy. Once a rule is matched, the packet is processed according to the defined action such as to drop or pass the data. Since the packet will never be evaluated by any rule lower than the matched rules, any rule defined lower in the policy that would match this same packet is redundant.

However, since many rules define access for more than a single source IP, single destination IP and single service, there are varying degrees of redundant. Portions of one rule may be redundant to portions of another rule. While these present an opportunity for refinement as well, we will focus on the rules that are completely redundant. A completely redundant rule can be removed outright. A partially redundant rule may require modification or may even require creation of additional rules to properly remove the redundancy without affecting behavior. This will be addressed in another post to review these additional intricacies.

Let’s take a look at some example redundant rules that can be easily remedied:

  • Identically Redundant: This first example is an identical rule that is clearly redundant. All matching columns are identical. While the comments are different, the rule number and comments do not affect the behavior of the firewall matching. In this case, the second rule, rule 18, can be removed without affecting the firewall behavior.identical Continue Reading →