As numerous breach incidents have emphasized, the inability of organizations to properly configure existing defenses remains arguably their most significant network security challenge.
With the Target breach standing as perhaps the best example – as attackers subsequently infiltrated the retailer’s point-of-sale data after gaining access to other areas of the network – the problem has been reinforced in a number of high-profile incidents.
This week, noteworthy vulnerability researcher H.D. Moore, perhaps best known as founder of the Metasploit pen testing platform, brought even greater attention to this issue, releasing new findings regarding a previously unreported firewall configuration issue that could expose many organizations to potential compromise.
The research, which affects organizations using devices made by Palo Alto Networks, a leader in the space, further highlights the fact that it is the challenge practitioners face in properly configuring such defenses – not vulnerabilities in those products – that remains so pervasive and troublesome.
As first detailed by Moore in a blog post and reported in news outlets including the U.K.-based Register, the issue involves misconfigured user identities set up for Palo Alto Networks firewalls that “leak” information onto the Web, exposing underlying services.
With VPN and webmail services among those affected, the issue revolves around possible credential exposure when Palo Alto Networks customers have improperly configured User-ID to enable WMI probing on external/untrusted zones, resulting in the User-ID agent sending these probes to external/untrusted hosts.
To its credit, Palo Alto quickly posted an advisory and associated best practices guidelines to help organizations address the issue. Vulnerability management specialists Rapid7, which purchased Metasploit five years ago and remains Moore’s employer, also posted an advisory.
By no coincidence, Palo Alto and Rapid7 are among FireMon’s closest technology and business partners. This is because we work with these companies every day to help customers identify and remediate precisely the type of issues highlighted by Moore’s ingenious research.
Network and applications vulnerabilities remain a huge problem, as do cutting-edge attacks. However, as illustrated by the Target breach, countless other incidents and the details of Moore’s latest work, erroneous and unseen configuration issues within network security infrastructure remain just as significant of a problem. And even better, one that when identified can be rapidly addressed.
The revealed Palo Alto firewall “vulnerability” isn’t a flaw at all but rather an opportunity for risk created by the complexity of firewall configuration and the lack of visibility that many practitioners retain into their current alignment – an issue intensified within large enterprises.
These are the very network security management challenges that led to the initial invention and continued advancement of FireMon Security Manager. Working alongside partners including Palo Alto and Rapid7, among many others, we help our customers identify and mitigate such issues.
In response to Moore’s research, FireMon immediately created a new custom audit check within Security Manager that allows organizations to analyze their Palo Alto firewalls to identify and check that user identification lookups are not allowed on public facing zones.
To be honest, doing so was almost painfully simple, because this is exactly what FireMon was designed to do!
As FireMon has been publicizing for many years – the level of complexity and change affecting configuration of network firewalls remains perhaps the greatest challenge facing network security practitioners.
If you’re concerned that the newly reported Palo Alto issue, or any of the countless configuration challenges affecting every manner of network firewall, may affect your organization, take a closer look at FireMon.
We help customers gain visibility into and control over this very type of problem. It’s what we do. It’s why we’re here. Learn more about our solutions, today.