Simplifying Firewall and VPN Security
Limnetic Technologies
Delivering trustworthy and resilient network communications.
The need for network connectivity has grown exponentially over the past decades. Whether at home or at work (sometimes those can be the same place), being able to access key resources has become increasingly important, if not essential.
Once upon a time, everything a worker needed to do their job could be found in the office. Then over the phone. Then by fax. Then on the local network. Then on the wide area network… and that’s where things got complicated. Because from the moment someone can legitimately access your network remotely, someone might also access it illegitimately.
And then there’s the Internet: an eclectic collection of servers and datacenters publicly accessible to each other and directly reachable by their IP addresses. The Internet was a great technological, cultural, and social achievement as it allowed people around the world to share information freely, instantly, and efficiently, at a very low price. But it also brought the entire world to the LAN’s doorsteps.
For obvious reasons (regulatory, corporate, security, monetary), companies and governments – and private individuals – can’t store their sensitive information and resources the same way. No one wants their private information to be accessibly freely, instantly, and efficiently! Hence the renewed need for local network protection.
Protecting The Local Network
That’s where firewalls come in. To put it simply, a firewall is a network security device (read: physical or virtual appliance) which monitors and/or filters incoming and outgoing network traffic based on a set of preestablished rules (whether default or user-defined). In other words, a firewall separates the local network from other networks (the Internet, in this case, is considered like a network, albeit very large).
After all, it’s much easier to control what goes in and out of your network if you only have one way in or out. Think of it as if it were like going through security at the airport. Everyone needs to go through it.
In the case of larger organisations with multiple local networks combined into a wide area network (WAN), a firewall is typically deployed at each site to ensure local perimeter protection and facilitate the communication between each local network.
The following diagram presents how authorized and unauthorized traffic is treated at a very high level.
In this case (A), a user behind the firewall (within the internal network) reached out to access Salesforce. Since a request was made for that destination, the firewall authorizes data to flow back to the internal network (blue arrows). Any other unsolicited session is blocked (red arrows).
If a user is already on the network and wants to access resources also hosted on the internal network (B), the firewall will neither block it, nor even notice. That is not its purpose.
Managing exceptions?
Of course, it’s possible to set rules and exceptions to allow specific traffic inside the network. VPNs, for instance, are a good exception example, and we’ll discuss them later in this publication. A firewall can also be configured to make exceptions for specific sources. However, this creates vulnerabilities. The more exceptions, the more loopholes can be exploited.
For example, if you were to allow Microsoft or Salesforce to connect to access resources on your network, be it for back-ups, synchronization, automation or what have you, you would need to sift through thousands of IP addresses, domains, and URLs. Each of these might require an exception line in the firewall’s configuration.
The more rules, the more processing power you take away from shielding your network, and the more holes you punch in your security.
Asking the firewall to deviate from its intended purpose is risky. A better alternative is to implement a secondary defensive layer to take on the management of exceptions. By centralizing URLs, IP addresses and domains in a single location, it’s possible to easily validate the legitimacy of an inbound connection AND the legitimacy of the destination only when required.
That is part of Limnetic’s value proposition: to take on the complexity of comparing inbound and outbound sessions to known and legitimate addresses – at the first packet, no less. As a result, your firewall can be allowed to focus on what it’s good at: block, block, block.
领英推荐
What about VPN users?
For remote workers accessing local resources from your network, the method of choice is typically a virtual private network (VPN). Typically, the user installs software on their device, which allows them to create an encrypted connexion with the network. It’s the firewall’s VPN gateway that’s responsible for decrypting and authorizing the connexion. Once through, the user’s device is considered as being on the network, just as though they were physically sitting at their desk.
Of course, there are other considerations. For instance, different approaches can be taken with regards to Internet browsing, namely funneling all the traffic through the VPN gateway, or to use split tunnelling, in which case only the corporate traffic will go through the VPN gateway and off through the office’s Internet, and the rest will go out as usual through the home Internet. In both cases, the throughput would be doubly limited, by both the remote location’s Internet link, and the office’s.
While these are important considerations when designing your network at large, we will focus on locally hosted resources, which necessarily require a VPN connexion.
As a reminder, the role of a Firewall is to separate the network from the outer world and to control who gets in, and how to properly get out.
A firewall’s job is not to police what goes on inside the network. A firewall is a bouncer; it’s the customs agent; it’s the coast guard.
In the example above, the remote user first authenticates through segment A, and can then freely access internal resources via segment B (if he was granted access to them). But what happens if the unsupervised laptop is used by someone else, or stolen while a connexion is established?
Today, one must rely on the hope that users lock their screens when they step away from their computer, and that to steal a laptop, it needs to be moved, which is likely to terminate the VPN session as it disconnects from the Wi-Fi or gets unplugged. With people’s habit of storing passwords locally, however, this is of little help, as the session can be re-established quicky. Needless to say that this becomes a serious vulnerability.
To effectively act past that point, other security best practices and measures are required. In a previous post, we presented what’s often described as the “Swiss Cheese” security model. No single security solution covers 100% of threats. That’s why antivirus and antimalware software exist, for instance.
In this case, a Zero Trust Network Access design is a great way to separate resources to avoid granting implicit access to anyone using a VPN. One way to implement such a design is with a network solution capable of inspecting internal traffic, to report anomalies, and to block suspicious activity. The below diagram shows how such a solution can be inserted seamlessly to enforce a ZTNA mentality to internal traffic, whether from devices physically on the network, or remoting in.
A Limnetic Edge can be deployed to inspect incoming, outgoing, and internal sessions, and record the technical data to determine who accesses what, how, at what time, how long, and how frequently.
As with the previous diagram, the remote user is authenticated by the firewall (A). This time, Limnetic is aware of its presence on the network (B), and will also be aware of the resources accessed on the network (C). If the compromised remote endpoint behaves unusually, either by connecting from an unknown origin, or by accessing new areas of the network to retrieve resources, Limnetic can force it to re-authenticate, block access to these specific destinations, or entirely block the device from further actions on the network.
Piecing it together
Firewalls are a staple of modern cybersecurity. Their purpose is to separate the corporate network from the outer world and to control what comes in and out. However, as important as they are, firewalls are not designed to manage large numbers of exceptions, or to manage internal traffic. While both objectives can be achieved with creativity and hard work, the level of complexity is unlikely to be worth the investment.
Limnetic can be leveraged to simplify firewall configurations and strengthen your network security – both at the perimeter and from within.?
References:
Nice points!