Whalebone blog

Why Just Having a Firewall Is Not Enough | Whalebone

Written by Whalebone | 22.6.2022 7:39:00

Everyone has heard about firewalls, and most organizations have them. Funnily enough, some do even while not knowing they have one (since some basic firewall functionality can be a part of the switch they use). They are used to block undesired and potentially malicious network communication. When it comes to network-borne threats, firewalls are the first line of defense. They are efficient, and are a must for any company with a network infrastructure, if they want it to remain in their control.

 

A question offers itself – if everyone has a firewall, how come the networks are still getting compromised? To answer this question, we need to have at least some high-level understanding of how firewalls work. Picture, if you will, a cinema. In order to get to see a movie, you need to have a ticket. You come to the ticket agent – if you have the ticket, great, you can go and watch the movie. No ticket? Tough luck, especially if all are sold out already. Back to the technical description, firewalls are based on rules describing the network communication. Firewall administrators define which communication is allowed, and which will be denied, based on checks of IP addresses, ports, and the direction of the traffic (in or out).

The above description is true for stateful packet inspection, but that is not all there is to firewalls (not these days at least). There are two kinds of firewalls, generally speaking – network firewalls, now known as Next Generation Firewalls (where some vendors now use the term Cloud Generation Firewalls), and Web Application Firewalls. NextGen Firewalls are like empowered ticket agents – not only that they will not let you in without a ticket, but they can even kick you out if you misbehave. Think of a night club bouncer – he will let you in with the ticket, but once you start being past the “just in the mood” level of alcohol with your fellow party-goers, he kicks all of you out. Additionally, NextGen Firewalls allow application control (modifying rules based on which application is used) and Intrusion Prevention Systems (IPS) used to block malicious communication.

Let’s look at a few scenarios to see how firewalls generally behave in them.

 

Penetrating the Network’s Premises from Afar

New critical vulnerabilities are disclosed quite regularly. Luckily for us, it does not happen on a daily, not even a monthly basis. When the attacker abuses some critical vulnerability, they can for example, execute console commands on the firewall without having the permission to do so. Once this happens, the attacker owns that network, not the victim, and they can do anything. Of course, not every vulnerability is publicly described. Many hacking groups keep a database of vulnerabilities they discovered, so they can use them when the need arises, knowing that there is nothing that can stop them. Alternatively, they can try to get internal access by tricking the users into visiting an infected website, opening a malicious PDF, or installing malware on their computers. It bypasses the firewall, because the request originates from the internal network and for the firewall everything seems in order. This is generally considered to be the easier way to gain access, and when you read about recent hacks, usually you can see the phrase “Social Engineering” being used in the report.

 

Bypassing the Security by Gaining the Physical Access

In nearly all cases, network security solutions are less restrictive for internal communication. Hackers know this, too, and sometimes the victim is way too attractive of a target to risk paying them an in-person visit. Generally speaking, all firewalls block all communication originating outside of the protected network, so in order to perform a successful network attack (we are not considering any other attacks now for the purpose of simplicity), they somehow have to bypass the firewall. It might be the case that it would be easier to gain physical access to an area from where the attacker can connect to the protected network rather than trying to penetrate its premises. The attacker then turns towards Social Engineering techniques to find more information which they can use and then tries to enter the building hiding the protected network infrastructure. In most cases it is more than enough to get into a conference room, ideally alone, or sometimes even the cafeteria’s Wi-Fi is all it takes (if the network is in a really poor shape). Once the attacker connects to the network, they can establish a remote connection from within (with the help of the DNS tunneling for example) and leave it there and open, allowing undisturbed access inside the network without the risk of being revealed while inside, therefore lowering the risk they undertake by going there personally.

 

A Threat Disguised as a Help

These days many companies support the so-called BYOD policy (bring your own device) where the employees can bring their devices, be it a computer/ laptop or a phone, and connect it to the internal network. These devices often have lower security levels than the rest of the internal infrastructure, and while outside of the protected premises, can access pretty much anything the user wants, increasing the risk of infecting the device. It happens that users bring their already compromised device to work, unknowingly allowing it to spread. The malware is in while all the firewall noticed was that a new device is in the protected network and that it is quite “chatty” and tries to communicate with pretty much all of the other available devices.

Having a firewall which works as a gatekeeper is necessary, but as demonstrated in the above-mentioned scenarios, it is not enough to rely just on the firewall. It does not provide 100 % protection; it has gaps which need to be filled.

How To Fill the Gaps?

With enough time and effort, any network can fall victim to a successful hacking attack. Blocking everything will not cut it, since no one will be able to do anything requiring a network connection effectively. You need to know what happens in your network – visualizing the whole network communication is the key. Nearly all of the network communication is accompanied by DNS protocol which translates domains to IP addresses that are required for computers to know who to contact (think of a phonebook, where you know the name and the phone gives you the number – it is the same with DNS – you know the domain and the DNS resolver knows the IP address). With this approach, you effectively take care of all devices connected to the protected network, even BYOD devices, and block all the malicious communication, making your network secure and filling some of the gaps left by firewalls. With the full visibility down to a single IP address, you know about everything in your network the moment it happens. This allows you to detect and block attacks before they manage to cause any serious damage, saving your organization money, reputation, and your IT team’s sanity.

Firewalls lay the foundation of cybersecurity. Without them, nothing else is relevant, because anyone can just connect to your network and take what they want, but relying purely on them is irresponsible. To make sure that you are protecting all of your devices, even those that you do not have full control over (like BYOD, IoT, IIoT, etc.), you have to include a protective DNS resolver such as Whalebone Peacemaker in your network’s infrastructure.

 

Do you want to complete your security posture and fill the gaps left by traditional security tools?

 

Would you like to learn more about Peacemaker and firewall?