Definition

Network security is the process of preventing unauthorized activity across a given networking infrastructure. An attacker only has to be right one time to compromise a network. However, the team responsible for securing an organization’s network has no room for error. For this reason, it is critical to take a holistic approach, rather than simply configuring a firewall. One key element of this process is threat modeling. Conducting a threat model identifies potential weaknesses which can be evaluated prior to conducting a network penetration test.

What is a firewall?

firewall is a device or service that acts as a gate keeper, deciding what enters and exits the network. It analyzes the traffic it sees passing through it by checking the packet headers and data. Based on its configuration, the firewall then decides accordingly whether to deny or allow traffic to pass through.

Implementing a firewall can take place almost anywhere on the network (or on the critical systems themselves). In addition to Web application firewalls (WAFs), there are both software and hardware-based firewalls. It’s important to note that there is a time and place for each of these. For instance, a WAF isn’t designed for network-based attacks against the Web server itself. As such, it should be accompanied by a software or hardware firewall.


How secure is a firewall?

A firewall isn’t airtight. It’s only as reliable as the configuration running on it and its own security posture. The best way to ensure that a firewall is reliable is to close off all communication and allow only the necessary traffic and services through. It should log all traffic and decisions to an external logging service, such as an intrusion detection system (IDS), which monitors for suspicious activity. It’s important to keep firewalls up-to-date with vendor updates and patches. This ensures that it doesn’t become the reason for an intrusion to the network.

It takes time and effort to fully understand the device and the services it provides. To give you an example, let’s say that a security team is executing an external penetration test in which a firewall protects critical system assets. The security team discovers that the firewall’s Web interface isn’t disabled on the WAN (Internet-facing) interface. It is password protected and doesn’t appear that there’s any way in.

Further testing reveals that the firewall is running a vulnerable OpenSSL version that was afflicted by the Heartbleed vulnerability. This allows an attacker to extract memory dumps from the service. In the memory dumps, a recent login request containing the username and password is discovered. Attempting access with this login information, the team is able to open the firewall and gain access to the internal network. Thus, turning an external penetration test into an internal penetration test.

In this example, the security team gains enough access to the critical systems to successfully extract sensitive data that the firewall was implemented to protect. Consequently, it became the mechanism for the breach.


What’s the next generation of network security?

The current approach to network security is compliance—what the auditor tells you that you need. The focus isn’t necessarily making the network more secure; rather, making it more compliant with newer standards such as Payment Card Industry Data Security Standard (PCI-DSS). While this is the current landscape, it isn’t ideal for catching new and emerging network and application security threats.

There’s a new generation on the horizon and it is approaching fast. Emerging technologies in network security involve artificial intelligence (AI) running and integrating with the security space both physically and virtually. Properly tuning AI allows it to identify patterns much quicker than humans. For example, imagine a user who leaves for an afternoon coffee break. This user accidentally leaves their computer unlocked. Now imagine an AI solution that is able to tap into the organization’s Active Directory and the user’s local system. It then assesses that the user’s system is idle and that the same user has badged out of their office building. The AI system automatically locks the user’s desktop and notifies them that it has taken this action.

It identifies when the user’s account is accessed remotely (presumably for malicious purposes) and taps into the firewall to block access from that IP address. Thus, it disables the user’s account until they have badged back into the office, or until another condition is met to re-enable the account. AI can also use facial recognition from security cameras to recognize when users are in the building.

This technology is now possible and could very well be where the network and software security industries are leading.


Resources to manage your AppSec risk at enterprise scale