DMZ contains and exposes an organization’s external-facing services to the internet. The external network node can access only what is exposed in the DMZ. External network nodes cannot access anything that is not within the DMZ. Web services or VoIP services are some of the most common services being placed in a DMZ. However, with the additional functionalities and abilities for VoIP for example, it should be protected by a firewall as well, rather than being placed in the DMZ without any protection and monitoring.
Why do some organizations choose to log all packets, whereas others only log packets that are dropped, and would you have a preference if you were responsible for logging at your organization?
Different organizations treat security and risk differently. Some organizations only log dropped packets so they can see what traffic was violating policies and inspect further if necessary. They can save disk space this way and possible hold logs for a longer period of time. On the other hand, logging all traffic gives much greater insight for network administrators. The dropped packets your firewall successfully blocked. But what about possible attack packets that were let through? Those are more dangerous and it would be helpful to have a log of those to be able to inspect. Logging all traffic is likely more expensive and time consuming, though, because there are more logs to store and go through.
Ultimately, I would want to log all traffic where feasible as an added layer of protection.
Logs take up a lot of storage, and they need time and resources to process. Regulatory compliance requirements are one of the reasons for an organization to log everything. The unnecessary cost increase on additional storage, maintenance, and processing is not ideal for many organizations.
I believe the choice between logging all packets and logging only packets that are dropped has a lot to do with costs and the budget/size of the company. For example, a multinational company will have the bandwidth and storage space to log all packets and analyze the web traffic coming in/reviewing everything. However, a small start up or company will not have the budget to have enough storage space to log all packets, or enough employees to review these packets. These companies would just review dropped packets to understand why and how to improve upon it, or be alert if it was an attack. I would prefer to log all incoming packets at my organization because you are able gain a better understanding of your web traffic and learn to adapt and filter your firewall accordingly.
What are the challenges associated with firewalls ability to protect a companies network when many employees are working remotely? Does this make it harder for a firewall to detect suspicious activity?
Hi Charlie,
Several challenges arise when dealing with individuals working remotely or even considering outside parties such as vendors or consultants. One example is having to extend the perimeter and allow outside users to access through the firewall in order to complete work. Outside users can inadvertently compromise a system, server, application, etc. if their own PC is compromised as their now their PC is located within the perimeter. Border firewalls will have to be configured correctly to allow these users into the perimeter and then internal firewalls will also have to be configured correctly to limit access to various servers, applications etc. Firewalls cannot be used alone and should be used in conjunction with anti-malware software and multi-factor authentication.. As attacks become more frequent and attackers become smarter, organizations will have to implement additional security measure other than firewalls to ensure the systems remains uncompromised.
At the beginning of this pandemic, I think it was a difficult challenge for many organizations to securely configure their networks because of how quickly they needed to transition most, if not all, employees to work remotely. Opening the network to give employees remote access could cause a lot more risk of the network being compromised. The organization does not have control of computers to make sure they are up to date on patches, using anti-virus, or not already compromised. Working remote also allows employees to potentially remove data from the internal network with ease if firewalls and/or policies are not configured properly. Lastly, as seen during this pandemic there has been a rise of social engineering attacks in organizations because attackers know everybody is working remotely, so they have a better chance of successfully getting into the network. Therefore, it is important to make sure access control management is implemented and employees only have access to information they absolutely need to perform their job and nothing more.
I think one of the biggest challenges is when employees are working remotely on their own network, their firewalls aren’t as protected or filtered. If their connection or computer is compromised by a virus, the hacker would have access to the work server/VPN as well. Firewalls would not be able to detect suspicious activity if the employee’s computer was compromised because the connection is still coming from the employee’s computer.
I guess contradictory conflict presents the greatest security risk to an organization because it is not only slow down the operating process. At the same time, it might let the hackers use this opportunity by camouflage a user who has a positive authorization. Even the hackers have a negative authorization, it alerts the security administrator to correct this error by editing or removing the conflict. Which might allow the hacker to get into the system by human error.
I would say contradictory conflicts presents the greatest security risk to a organization because when they are contradicting, it means neither authorizations can take effect. This may disrupt work processes especially if there is a deadline. The admin would have to go back and figure out why the authorization did not take place. For example, if there is an authorization for Employee 1 to write file X, but there is an authorization that says Employee cannot open Folder X that the file is in. When the employee tries to perform his task, he will be denied entry into the folder which may hinder his work process, it’ll delay his work and the system admin would have to be disrupted as well. Redundant or irrelevant conflicts may be a waste of time to create but do not disrupt the work flow.
With the current security landscape and the ever more common encryption, we are seeing today. Should stateful firewall and DPI become standard implementation for all firewalls rather than a paid feature? Stateless firewalls are still the default solution as a firewall, but simply blocking a type of traffic, a port, is no longer sufficient against more sophisticated attacks.
I would say a next-gen firewall without a subscription or a license fee will be ideal. Many enterprise firewall solutions have a subscription model, where you buy the appliance and subscription plans to keep the device up to date. This model drives up the cost considerably and unnecessarily.
For a small business with a limited budget, a basic router already provides firewall protection. It automatically blocks any external traffic that does not meet basic security parameters. It only takes the business as little as ten dollars. It can protect all the devices on the business network. It also can save time for installation, monitoring, and update each employee’s computer.
I think the software based firewall will best fit for most home users. It is easier to install and manage, so users can have better control over its functionalities and protection features. It is also affordable, even if you go for the top-rated firewalls.
Out of all the different types of firewalls, which one gives the most secured protection? Also, do any of the them have any limitations to their functions?
Many of the most recently-released firewall products are being touted as “next-generation” architectures. Some common features of next-generation firewall architectures include deep-packet inspection, TCP handshake checks, and surface-level packet inspection. Any firewalls have their limitations. To provide better protection, organization should have multiple layers of firewalls,
Internal firewalls control the traffic or information that flows through the different parts of the internal network. For example, in a hospital setting, only certain people should be able to send information to a server that contains patient information. Internal firewalls are responsible for protecting a large number of client-server connections as there is typically heavy volume of internal traffic. These firewalls are complex and can be difficult to set the ACL rules up correctly. A host firewall is installed on an individual host and usually only monitors a very small number of applications. As there is less volume than internal firewalls, setting up the ACL rule is easier. It is important to consider the defense in depth concept, as we are seeing the death of the perimeter. Security, such as firewalls, can be layered on top of one another to ensure better chances of security. I liken this to key controls vs secondary controls, if a key control fails, you can still rely (hopefully!) on the secondary control to get the job done. In this case, by using different types of firewalls, you a better protecting the organization. Let’s say a border firewall of internal firewall has an ACL configuration error, chances are the host firewall will not have a configuration error as they are not as complex and will still protect the individual host.
IDS is critical as they are able to alert security teams of threats that a firewall might not block. IPS is critical as they take the technology of IDS; however, compensate for the false positives of IDS by blocking actual attacks.
IDSs functions more as a surveillance tool to look for any suspicious traffic and are not able to drop packets based on mere suspicion, resulting in many false alarms. While the filtering rules can be tweaked to reduce the number of false alarms, chances are that IDSs will still generate false alarms. On the other hand, IPSs can actually block attacks such as DoS using a combination of ASICs and confidence spectrum tools which is aimed at preventing the attack versus simply identifying the attack as with IDSs.
IDS and IPS both read network packets and compare the contents to the database of known cyber threats. IDS is for detect and monitor the network traffic. It requires other systems to take action when it detects abnormal behaviors. It is better to be used as a part of the security incident investigation. IPS is base on the packet to accept or reject the content. IPS is more passive as it denies the dangerous packets before they reach their target.
While firewalls are critical in protecting a network there are other techniques an organization can use to help secure their network. The network can be segmented into subnets which would be useful if you wanted to keep sensitive information off the main network. This would mitigate an unauthorized user from making lateral movements in the network. Another option would be to setup a DMZ to limit the exposed servers to the internet and filter traffic from reaching the internal network. This approach still uses a firewall, but it will help keep the redundancy down by limiting how external traffic can enter.
Firewalls are important tools for it security teams to protect a network, but it’s not a perfect solution, and can cause other problems. For example, as mentioned in the reading, firewalls that drop too many packets due to incorrect configuration can cause inadvertent DoS attacks. Segmenting the network can be very effective to help protect data . Also, user education can be very beneficial. Obviously, not all attacks can be stopped from education, but companies should be careful to not just dump money into their security methods without also educating their users. User education can be more beneficial than just having a bunch of firewalls in the network
What are some of the best firewalls currently available for an organization to purchase? Have there been any new technological advancements made in firewall protection?
Soloarwinds, Watchguard, and Norton are pretty strong firewalls organizations can use. There have definitely been advancements in firewalls protection. Especially with the development of intrusion detection an prevention systems.
Redundant policy conflicts is when one policy overlaps another policy. An example could be if someone had access to a specfic file, but also at the same time that person also has access to the root folder where the file was contained in.
Tweaking filtering rules for example, eliminating inapplicable rules and reducing the number of rules allowed to generate false alarms are both reasonable approaches in an effort to reduce the number of false alarms in IDSs.
Hi Ashleigh,
Tuning can be used to reduce false positives in IDS, which is turning off rules that are not applicable, such as a rule related to a Linux operating system, but your organization uses Microsoft. Tuning can also mean to increase the criteria threshold that triggers an alarm when logging suspicious activity, i.e. not all suspicious activity needs to trigger an alarm. While this method can help security teams lessen the number of false positives, it is still probably above what could be considered a minimum amount. In addition, tuning is very labor intensive which can drain resources and is not very cost beneficial. Also, IDS does not stop an attack, it simply identifies suspicious activities. For these reasons, IDS should be used in conjunction with another security method such as firewalls.
What are the benefits of using a DMZ subnet in an organization and are there any negatives to using a DMZ as well?
DMZ contains and exposes an organization’s external-facing services to the internet. The external network node can access only what is exposed in the DMZ. External network nodes cannot access anything that is not within the DMZ. Web services or VoIP services are some of the most common services being placed in a DMZ. However, with the additional functionalities and abilities for VoIP for example, it should be protected by a firewall as well, rather than being placed in the DMZ without any protection and monitoring.
Why do some organizations choose to log all packets, whereas others only log packets that are dropped, and would you have a preference if you were responsible for logging at your organization?
Different organizations treat security and risk differently. Some organizations only log dropped packets so they can see what traffic was violating policies and inspect further if necessary. They can save disk space this way and possible hold logs for a longer period of time. On the other hand, logging all traffic gives much greater insight for network administrators. The dropped packets your firewall successfully blocked. But what about possible attack packets that were let through? Those are more dangerous and it would be helpful to have a log of those to be able to inspect. Logging all traffic is likely more expensive and time consuming, though, because there are more logs to store and go through.
Ultimately, I would want to log all traffic where feasible as an added layer of protection.
Logs take up a lot of storage, and they need time and resources to process. Regulatory compliance requirements are one of the reasons for an organization to log everything. The unnecessary cost increase on additional storage, maintenance, and processing is not ideal for many organizations.
I believe the choice between logging all packets and logging only packets that are dropped has a lot to do with costs and the budget/size of the company. For example, a multinational company will have the bandwidth and storage space to log all packets and analyze the web traffic coming in/reviewing everything. However, a small start up or company will not have the budget to have enough storage space to log all packets, or enough employees to review these packets. These companies would just review dropped packets to understand why and how to improve upon it, or be alert if it was an attack. I would prefer to log all incoming packets at my organization because you are able gain a better understanding of your web traffic and learn to adapt and filter your firewall accordingly.
What are the challenges associated with firewalls ability to protect a companies network when many employees are working remotely? Does this make it harder for a firewall to detect suspicious activity?
Hi Charlie,
Several challenges arise when dealing with individuals working remotely or even considering outside parties such as vendors or consultants. One example is having to extend the perimeter and allow outside users to access through the firewall in order to complete work. Outside users can inadvertently compromise a system, server, application, etc. if their own PC is compromised as their now their PC is located within the perimeter. Border firewalls will have to be configured correctly to allow these users into the perimeter and then internal firewalls will also have to be configured correctly to limit access to various servers, applications etc. Firewalls cannot be used alone and should be used in conjunction with anti-malware software and multi-factor authentication.. As attacks become more frequent and attackers become smarter, organizations will have to implement additional security measure other than firewalls to ensure the systems remains uncompromised.
At the beginning of this pandemic, I think it was a difficult challenge for many organizations to securely configure their networks because of how quickly they needed to transition most, if not all, employees to work remotely. Opening the network to give employees remote access could cause a lot more risk of the network being compromised. The organization does not have control of computers to make sure they are up to date on patches, using anti-virus, or not already compromised. Working remote also allows employees to potentially remove data from the internal network with ease if firewalls and/or policies are not configured properly. Lastly, as seen during this pandemic there has been a rise of social engineering attacks in organizations because attackers know everybody is working remotely, so they have a better chance of successfully getting into the network. Therefore, it is important to make sure access control management is implemented and employees only have access to information they absolutely need to perform their job and nothing more.
I think one of the biggest challenges is when employees are working remotely on their own network, their firewalls aren’t as protected or filtered. If their connection or computer is compromised by a virus, the hacker would have access to the work server/VPN as well. Firewalls would not be able to detect suspicious activity if the employee’s computer was compromised because the connection is still coming from the employee’s computer.
Which type of conflict (contradictory, redundant or irrelevant) presents the greatest security risk to an organization?
I guess contradictory conflict presents the greatest security risk to an organization because it is not only slow down the operating process. At the same time, it might let the hackers use this opportunity by camouflage a user who has a positive authorization. Even the hackers have a negative authorization, it alerts the security administrator to correct this error by editing or removing the conflict. Which might allow the hacker to get into the system by human error.
I would say contradictory conflicts presents the greatest security risk to a organization because when they are contradicting, it means neither authorizations can take effect. This may disrupt work processes especially if there is a deadline. The admin would have to go back and figure out why the authorization did not take place. For example, if there is an authorization for Employee 1 to write file X, but there is an authorization that says Employee cannot open Folder X that the file is in. When the employee tries to perform his task, he will be denied entry into the folder which may hinder his work process, it’ll delay his work and the system admin would have to be disrupted as well. Redundant or irrelevant conflicts may be a waste of time to create but do not disrupt the work flow.
Why should redundant and irrelevant conflicts within policies be resolved?
Hi Christa,
The best answer I can think of is to increase efficiency and, in some cases, security as well. More conflicts = more vulnerabilities and more money.
With the current security landscape and the ever more common encryption, we are seeing today. Should stateful firewall and DPI become standard implementation for all firewalls rather than a paid feature? Stateless firewalls are still the default solution as a firewall, but simply blocking a type of traffic, a port, is no longer sufficient against more sophisticated attacks.
Which conflict of detection method is most important in an organization?
What type of firewall would be best for your home or a small office, considering things like the amount of protection and cost?
I would say a next-gen firewall without a subscription or a license fee will be ideal. Many enterprise firewall solutions have a subscription model, where you buy the appliance and subscription plans to keep the device up to date. This model drives up the cost considerably and unnecessarily.
For a small business with a limited budget, a basic router already provides firewall protection. It automatically blocks any external traffic that does not meet basic security parameters. It only takes the business as little as ten dollars. It can protect all the devices on the business network. It also can save time for installation, monitoring, and update each employee’s computer.
I think the software based firewall will best fit for most home users. It is easier to install and manage, so users can have better control over its functionalities and protection features. It is also affordable, even if you go for the top-rated firewalls.
Out of all the different types of firewalls, which one gives the most secured protection? Also, do any of the them have any limitations to their functions?
Many of the most recently-released firewall products are being touted as “next-generation” architectures. Some common features of next-generation firewall architectures include deep-packet inspection, TCP handshake checks, and surface-level packet inspection. Any firewalls have their limitations. To provide better protection, organization should have multiple layers of firewalls,
What security roles do internal firewalls play as compared to host firewalls? Why are both types of firewall necessary when securing a network?
Hi MItch,
Internal firewalls control the traffic or information that flows through the different parts of the internal network. For example, in a hospital setting, only certain people should be able to send information to a server that contains patient information. Internal firewalls are responsible for protecting a large number of client-server connections as there is typically heavy volume of internal traffic. These firewalls are complex and can be difficult to set the ACL rules up correctly. A host firewall is installed on an individual host and usually only monitors a very small number of applications. As there is less volume than internal firewalls, setting up the ACL rule is easier. It is important to consider the defense in depth concept, as we are seeing the death of the perimeter. Security, such as firewalls, can be layered on top of one another to ensure better chances of security. I liken this to key controls vs secondary controls, if a key control fails, you can still rely (hopefully!) on the secondary control to get the job done. In this case, by using different types of firewalls, you a better protecting the organization. Let’s say a border firewall of internal firewall has an ACL configuration error, chances are the host firewall will not have a configuration error as they are not as complex and will still protect the individual host.
IDS vs IPS, why they are critical for cybersecurity?
IDS is critical as they are able to alert security teams of threats that a firewall might not block. IPS is critical as they take the technology of IDS; however, compensate for the false positives of IDS by blocking actual attacks.
IDSs functions more as a surveillance tool to look for any suspicious traffic and are not able to drop packets based on mere suspicion, resulting in many false alarms. While the filtering rules can be tweaked to reduce the number of false alarms, chances are that IDSs will still generate false alarms. On the other hand, IPSs can actually block attacks such as DoS using a combination of ASICs and confidence spectrum tools which is aimed at preventing the attack versus simply identifying the attack as with IDSs.
IDS and IPS both read network packets and compare the contents to the database of known cyber threats. IDS is for detect and monitor the network traffic. It requires other systems to take action when it detects abnormal behaviors. It is better to be used as a part of the security incident investigation. IPS is base on the packet to accept or reject the content. IPS is more passive as it denies the dangerous packets before they reach their target.
At what point do firewalls become redundant? Is there a more efficient way to protect your network than having a bunch of firewalls on the way?
While firewalls are critical in protecting a network there are other techniques an organization can use to help secure their network. The network can be segmented into subnets which would be useful if you wanted to keep sensitive information off the main network. This would mitigate an unauthorized user from making lateral movements in the network. Another option would be to setup a DMZ to limit the exposed servers to the internet and filter traffic from reaching the internal network. This approach still uses a firewall, but it will help keep the redundancy down by limiting how external traffic can enter.
Firewalls are important tools for it security teams to protect a network, but it’s not a perfect solution, and can cause other problems. For example, as mentioned in the reading, firewalls that drop too many packets due to incorrect configuration can cause inadvertent DoS attacks. Segmenting the network can be very effective to help protect data . Also, user education can be very beneficial. Obviously, not all attacks can be stopped from education, but companies should be careful to not just dump money into their security methods without also educating their users. User education can be more beneficial than just having a bunch of firewalls in the network
What are some of the best firewalls currently available for an organization to purchase? Have there been any new technological advancements made in firewall protection?
Soloarwinds, Watchguard, and Norton are pretty strong firewalls organizations can use. There have definitely been advancements in firewalls protection. Especially with the development of intrusion detection an prevention systems.
What are some examples of “redundant” policy conflicts?
Redundant policy conflicts is when one policy overlaps another policy. An example could be if someone had access to a specfic file, but also at the same time that person also has access to the root folder where the file was contained in.
What firewall architecture, do you have at your company? how many different firewalls are there in your company?
How would a security team configure the intrusion detection systems to ensure they receive the minimum amount of false positives?
Hi Ashleigh,
Tweaking filtering rules for example, eliminating inapplicable rules and reducing the number of rules allowed to generate false alarms are both reasonable approaches in an effort to reduce the number of false alarms in IDSs.
Hi Ashleigh,
Tuning can be used to reduce false positives in IDS, which is turning off rules that are not applicable, such as a rule related to a Linux operating system, but your organization uses Microsoft. Tuning can also mean to increase the criteria threshold that triggers an alarm when logging suspicious activity, i.e. not all suspicious activity needs to trigger an alarm. While this method can help security teams lessen the number of false positives, it is still probably above what could be considered a minimum amount. In addition, tuning is very labor intensive which can drain resources and is not very cost beneficial. Also, IDS does not stop an attack, it simply identifies suspicious activities. For these reasons, IDS should be used in conjunction with another security method such as firewalls.