Beware the

Firewall, My Son!
The Jaws That Bite,
The Claws That
Catch!*
*With apologies to Lewis Carroll

Who Am I?
Michele Chubirka, aka Mrs. Y.
Senior security architect.
Blogs and hosts Healthy
Paranoia, information security
podcast channel of
Packetpushers.
Researches and pontificates
on topics such as security
architecture and best
practices.

Discussion Points

Firewall State of the Union

Current Design Models
Challenges
Security Vs. Compliance
Recommendations

Beware the
proxy server,
and shun The
frumious
packet filter!

Recent Findings
According to Trustwaves 2012 Global Security Report:
Customer records make up 89% of breached data
investigated.
The most common password used by organizations is
Password1 because it satisfies the default Microsoft
Active Directory complexity setting.
Anti-virus detected less than 12% of malware samples
collected during 2011 investigations.
SANS Institute declared the death of AV.

Findings Cont
Only 16% of
compromises
were selfdetected and
attackers had
an average of
173.5 days
before
detection.

Verizon Data Breach Report 2013

WHEN YOU CONSIDER THE METHODS USED BY
ATTACKERS TO GAIN A FOOTHOLD IN
ORGANIZATIONSBRUTE FORCE, STOLEN CREDS,
PHISHING, TAMPERINGITS REALLY NOT ALL THAT
SURPRISING THAT NONE RECEIVE THE HIGHLY
DIFFICULT RATING. WOULD YOU FIRE A GUIDED
MISSILE AT AN UNLOCKED SCREEN DOOR?

three-quarters of breaches are of low or very

low difficulty for initial compromise, and the rest
land in the moderate category.

Verizon Data Breach Report 2013

Figure 42: Percent of breaches that remain
undiscovered for months or more
67%

<2008

66%
55%

2008

55%
44%

2009

41%

2012

2011

2010

Figure 43: Percent of breaches discovered

external to victim

75%

<2008

69%

2008

92%

86%

2011
2010
61%

2009

69%

2012

Verizon Data Breach Report 2013

Figure 41: Timespan of events

Compromise (n=180)

Overall
60%

11%

13%

13%

2%

1%

Exfiltration (n=39)

36%
15%

18%
3%

10%

18%

0%

1%

9%

11%

12%

4%

41%
18%
2%

2%

Seconds

Minutes

Hours
Financial

14%
Days
Espionage

Weeks
Other

22%

Months

Years

Discovery (n=221) Containment (n=49)

62%

High Profile Attacks

Major news media organizations compromised.
DDoS attacks against financial institutions.
Breach of processor Global Payments went
undetected for over a year with 7 million
accounts compromised.
Prominent defense contractors penetrated via
information stolen from RSA Security.
Do you think they had firewalls?

Why Do We Use Firewalls?

Infosec design best practice.
Because compliance rules and auditors say
so.
To protect applications, servers and user
systems from attacks.
FUD

Why Do We Still Use Firewalls?

According to Infoworlds Roger Grimes, they
need to go away.
Most attacks are client-side (http and https)
and can bypass the firewall rules.
Network choke-points.
Rules are a mess, often breaking access.
Management is difficult, at best.
More of a problem than a solution.

April Fools RFC 3514

Firewalls [CBR03], packet filters, intrusion
detection systems, and the like often have
difficulty distinguishing between packets that
have malicious intent and those that are merely
unusual. The problem is that making such
determinations is hard. To solve this problem,
we define a security flag, known as the "evil"
bit, in the IPv4 [RFC791] header.

April Fools RFC 3093

We propose the Firewall Enhancement Protocol
(FEP). Our methodology is to layer any
application layer Transmission Control Protocol/
User Datagram Protocol (TCP/UDP) packets over
the HyperText Transfer Protocol (HTTP) protocol,
since HTTP packets are typically able to transit
Firewalls. FEP allows the best of both worlds:
the security of a firewall, and transparent tunneling
through the firewall.

She took her

vorpal sword in
hand:
Long time the
TCP flow she
sought --

Definitions
Defense-in-depth
According to the Committee on National
Security Systems Instruction No. 4009,
National Information Assurance Glossary, it is
defined as:
IA [information assurance] strategy integrating
people, technology, and operations capabilities
to establish variable barriers across multiple
layers and dimensions of networks.

Defense-in-depth is comprised of
multiple types of controls, not only
multiples of the same controls.

Definitions Cont
Firewall
From The Oxford American Dictionary:
A wall or partition designed to inhibit or prevent
the spread of fire. Any barrier that is intended to
thwart the spread of a destructive agent.
A firewall does not prevent a fire.

So rested she by
the DMZ,
And stood
awhile in
thought.

Current Model: The Sandwich

Typical Network Security

Segmentation
INET : Public facing, the internet.
CORP : Corporate network, aka the user community.
DATA : Database segment, might be subdivided into PCI
and non-PCI.
APP: Application segment, might be subdivided into PCI
and non-PCI.
DMZ : Anything requiring public access; web-front ends,
mail, DNS, might be subdivided into PCI and non-PCI
segments.
MGMT : management segment providing access
between user/corp and production segments.
BKUP: backup network.

Typical Data Classification

Routine: Information not presenting a risk to the business if it
were compromised. The lowest degree of protection.
Confidential: Information not of value to an attacker, but it
might provide information that could be useful in an attack.
Business-Critical: Data containing details about how the
organization operates its business. Could affect the
organization's competitive advantage or have a financial
impact if it were compromised.
Private: Private data is information that the organization is
required to keep secure, either by regulation or to maintain the
confidence of its customers. This data is the most secure
information on the network.

What You Really End Up With

And, as in
uffish thought
she stood,
The firewall,
with eyes of
flame,

The Challenge
A Network Security team is responsible for
managing the technical or logical controls for
accessing data.
They are data custodians for the data
owners.
The challenge is to ensure that they closely
align the network security segmentation
design with an information classification
matrix.

Came whiffling through the

Ethernet, And burbled as it came!

Security Vs. Compliance

Adherence to PCI-DSS, SOX, HIPAA or any
other compliance standard does not equate
to organizational security.
Compliance is conformance to a standard
dictated by a governing body.

Definitions
Compliance - the act of conforming, acquiescing, or
yielding. A tendency to yield readily to others, especially
in a weak and subservient way. Conformity; accordance:
in compliance with orders. Cooperation or obedience.
Security - freedom from danger, risk, etc.; safety.
Freedom from care, anxiety, or doubt; well-founded
confidence. Something that secures or makes safe;
protection; defense. Precautions taken to guard against
crime, attack, sabotage, espionage, etc.
From The American Heritage Dictionary

Compliance or Security?

Compliance != Security

Venn diagram courtesy of @grecs

One, two! One,

two! And
through and
through
The vorpal
blade went
snicker-snack!

Information Classification Best

Practices
Data represents the digital assets of a company.
Different data has varying levels of value, organized
according to sensitivity to loss, disclosure, or
unavailability.
Data is segmented according to level, then security
controls are applied.
An information classification matrix represents the
foundation of a security design.
For additional information, see Understanding Data
Classification Based On Business and Security
Requirements by Rafael Etges and Karen McNeil

Implementing Good Network

Segmentation: Phase One
1. Establish a new network segmentation model, based
upon some of the existing or implicit standards from
your security team.
2. Verify that this will meet current compliance needs,
proactively.
3. Document this fully and get sign off, so that there is an
agreed upon model or standard for all divisions.
4. Build new systems and networks on this design,
migrating legacy systems where possible with minimal
impact to customers and when required for compliance.

Implementing Good Network

Segmentation: Phase Two
1. Build a business and service technical catalog, then a
full data classification matrix.
2. Develop the next generation of network segmentation
based upon the data classification matrix.
3. Document this fully, so that there is an agreed upon
model or standard.
Implementation of phase one, will make phase two feasible.
The goal is a thoughtful design that meets the needs of all
customers and divisions within an organization.

She left it dead, and with its NAT

policy, she went galumphing back.

Operational Security To Do List

Focus on containment.
Improve standardization and documentation.
Gather metrics.
Event monitoring (and no, that doesnt mean
email alerts).
Consolidate when possible.
Consistently audit access.
Emphasize a proactive over reactive posture.

The Goal: Enterprise Security

Architecture
Integration of security into the enterprise
architecture.
Design driven by business needs.
Built in, not bolted on.
Utilize frameworks or models such as:
OSA (Open Security Architecture)
SABSA (Sherwood Applied Business
Security Architecture)

OSA Design Principles

The design ar5facts that describe how the security controls (=

security countermeasures) are posi5oned, and how they relate to
the overall IT Architecture.

SABSA Framework

A New and Improved DMZ Sandwich

http://www.opensecurityarchitecture.org/cms/images/OSA_ima...

AU-02 Auditable Events

AU-10 Non-Repudiation

Flow
AC-04 Information
Enforcement

SC-10 Network Disconnect

Of Audit
AU-03 Content
Records

Record
AU-11 Audit
Retention

AC-06 Least Privilege

SC-23 Session Authenticity

SC-05

Denial Of Service
Protection

AC-12 Session Termination

Code
SI-03 Malicious
Protection

SI-06

Security
Functionality Verif..

CM-07 Least Functionality

SI-08 Spam Protection

SI-07

Software And
Information Integri..

Storage
AU-04 Audit
Capacity
To Audit
AU-05 Response
Processing Failures
Monitoring,
AU-06 Audit
Analysis, And Repor..

AU-08 Time Stamps

Of Audit
AU-09 Protection
Information

Proxy/Gateway/Web
-minimal services
-hardened configuration
-management/monitoring
by seperate network
interfaces/VLAN
Internal
Services

External
Services

Untrusted public network

e.g. Internet

Default rule: DENY ALL

Enable specific port
and IP addresses.
Stateful inspection and
DOS protection
Load balance/High
availability

External
Firewall

SC-07 Boundary Protection

Internal
Firewall

Bastion
Host

IDS/IPS

DNS
Name /
SC-20 Secure
Address Resolution ..

SI-04

Trusted network
e.g. CorpNet

Default rule: DENY ALL

Enable specific port
and IP addresses/ranges
Stateful inspection

Information System
Monitoring Tools An..

Name /
SC-21 Secure
Address Resolution ..
And
SC-22 Architecture
Provisioning For Na..

Login
AC-07 Unsuccessful
Attempts

hBp://www.opensecurityarchitecture.org/
cms/en/library/paBernlandscape/286-
sp-016-dmz-module
OSA is licensed according to Creative Commons Share-alike.
Please see:http://www.opensecurityarchitecture.org/cms/about/license-terms.

Reduction And
AU-07 Audit
Report Generation

Actor: Security Operations

Configuration of
environment
Monitoring and response
to emerging threats

System
CA-03 Information
Connections

CA-04 Security
Certification
Of Action And
CA-05 Plan
Milestones

RA-05 Vulnerability
Scanning
Alerts And
SI-05 Security
Advisories

Tips To Improve a Network Security

Architecture Or Mandiant Said So
Document and understand critical applications network
data flows
Periodically validate network device rulesets
Implement network segmentation
Implement web application firewalls to reduce the risk of
web application vulnerabilities
Implement web proxies for all users, restricting access to
uncategorized web sites
Build restricted, high security zones for critical data and
applications
From the Mandiant M-Trend 2012 Report

And, has thou slain the Firewall?

Come to my arms, my beamish girl!

O stateful day! Callooh! Callay!'

She chortled in her joy.

Where Am I?
Spending quality time in kernel mode practicing
and refining my particular form of snark.
www.healthyparanoia.com
Twitter @MrsYisWhy
Google+ MrsYisWhy
networksecurityprincess@gmail.com
chubirka@packetpushers.net

References
Covert, Edwin. Using Enterprise Security Architecture S to Align Business
Goals and IT Security within an Organization. Tech. Columbia: Applied
Network Solutions, n.d. Print.
Grimes, Roger. "Why You Don't Need a Firewall." InfoWorld. N.p., 15 May
2012. Web. 15 May 2012. <http://www.infoworld.com/d/security/why-youdont-need-firewall-193153?page=0,1>.
Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 1 May
2012. Web. 16 Apr. 2013. <http://krebsonsecurity.com/2012/05/globalpayments-breach-window-expands/>.
Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 17 May
2012. Web. 16 Apr. 2013. <http://krebsonsecurity.com/2012/05/globalpayments-breach-now-dates-back-to-jan-2011/>.
Lee, Rob. "Blog." Is Anti-Virus Really Dead? A Real-World Simulation
Created for Forensic Data Yields Surprising Results. SANS, 9 Apr. 2012.
Web. 16 Apr. 2013. <http://computer-forensics.sans.org/blog/2012/04/09/isanti-virus-really-dead-a-real-world-simulation-created-for-forensic-datayields-surprising-results>.
M-Trends 2012: An Evolving Threat. Rep. Alexandria: Mandiant, 2012.
Print.

References Cont
"Open Security Architecture." Open Security Architecture. N.p., n.d. Web. 17
Apr. 2013.
Plato, Andrew. "Analysis of the Palo Alto Cache Poison Issue." Anitian Blog.
Antian Security, 3 Jan. 2013. Web. 16 Apr. 2013.
"SABSA." SABSA. N.p., n.d. Web. 17 Apr. 2013.
Trustwave 2012 Global Security Report. Rep. Trustwave, 2012. Web.
Verizon 2013 Data Breach Investigations Report. Rep. Verizon, 2013. Web.
Wan, William, and Ellen Nakashima. "Report Ties Cyberattacks on U.S.
Computers to Chinese Military." Washington Post. The Washington Post, 19
Feb. 2013. Web. 16 Apr. 2013. <http://www.washingtonpost.com/world/reportties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/
2013/02/19/2700228e-7a6a-11e2-9a75-dab0201670da_story.html>.
Zetter, Kim. "RSA Agrees to Replace Security Tokens After Admitting
Compromise." Wired.com. Conde Nast Digital, 05 June 0011. Web. 16 Apr.
2013. <http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/
>.