Network Security in a World without Network Firewalls
I like firewalls. For a number of years, I made a good living specializing in edge security and writing books and articles the Microsoft ISA firewall, together with my husband, Tom Shinder. Tom, even more than I, built his career on the back of ISA and TMG. During the past decade and a half, firewalls were all the rage - the very foundation of network security - and the number of different firewalls available was dizzying. Spirited discussions revolved around what kind of firewall was the best firewall, which type of firewall could provide the most security, what features were more important , which did the best job, packet inspection or application layer inspection, and more. The debates were hot and heavy and sometimes led to a version of digital fisticuffs.
But times have changed. While there are still many firewall options available out there, the general issue of which firewall is the best or more secure doesn't seem to be raging quite so passionately anymore. Why is that? Did the industry just get tired of talking about firewalls? Did all the firewalls become essentially the same, providing essentially the same services, so that choosing a firewall was a matter of just which vendor you liked or what was the best price?
Maybe it had to do with those things, but I think it's also due to the fact that the nature of computing is changing. When firewalls were the talk of the town, security was all about keeping people out of your trusted network. Back then, there was the perception that the internal corporate network was "secure" and anything outside of your corporate network was "unsecure". Using this simple dichotomy, you could create a barrier or multiple barriers focused on preventing people from getting into your network. Once they were through that door, they were assumed to be "good guys."
It was a workable idea back when we all went to our little cubicles at the office every day to get our work on the computer done. But that world of the 1990s doesn't exist anymore. More and more people carry their computers with them (whether in the form of laptops, tablets or their smartphones). They work from home, work from a hotel room, from a conference center, or from a partner's or customer's office. The old model still keeps the internal network relatively secure, but it also can prevent your employees from getting their work done (or at least make it more difficult and time-consuming), and impairs their effectiveness when they're on the road. And it's not only employees who are affected; there are business partners, suppliers, vendors and a hoard of other people who need access to your network's resources. We are much more into "sharing" these days, while at the same time we have more and more threats from hackers, attackers, virus and malware writers.
What's happened is that the once impenetrable firewall barrier has had so many holes opened in it, to accommodate all these use cases, and has developed such as complex set of firewall rules and ACLs, that there is almost no reason to even have the firewall there anymore. Edge firewalls are increasingly becoming more like routers than firewalls, because they need to let more and more traffic, which is coming from an increasingly diverse set of people and devices, into the corporate network for legitimate purposes. Now the talk is about the death of the DMZ, the dissolution of the edge, and the eventual fading away of the firewall as sentinel guarding the internal network. Where does that leave us in regard to security?
Whether we like it or not, we seem to be moving toward a world without firewalls. As we do so, we need to think about how to enforce some level of network security for our precious data. Just because the "walls are tumbling down" doesn't mean that we don't need to secure and protect our critical data. In fact, that will become more crucial than ever. It does mean that we need to push security closer to the assets. The end result, and the desired result, is that everyone will be able to more easily get to the information they need, as long as they are authorized to access that information.
What are some of the things you can do now to help secure your assets in a world without firewalls? In this article, we'll take a look at my "short list" of technologies and approaches that can help you in that effort:
- Rights Management Services
- Strong Authentication and Identity Management
- Host Based Firewalls, IDS/IPS and Anti-malware
- IPsec Server and Domain Isolation
- SSL/TLS Encryption
- Service Hardening and Attack Surface Minimization
Rights Management Services
Right Management Services (RMS) enables you to create policies to control how individual files are handled. For example, you can use RMS to control who can view a file, who can print it, who can copy it, who can email it, and how long the file survives (for example, you can tell the file to autodestruct after five days). The beauty of Rights Management Services is that even if someone is able to compromise the host server that contains the RMS protected files, the intruder would not be able to access the file's content because the intruder isn't on the list of authorized users for that file.
At this time Microsoft has an RMS service that is somewhat limited, as you can only protect certain types of files, such as Office documents and Exchange email, using RMS. In the future, I'd like to see Microsoft or some other vendor come up with a more robust RMS system that enables you to apply RMS to all files. In addition, the current instantiation of the Microsoft RMS system leaves it up to the user to decide which RMS policy to apply to the files. This is a security no-no, because you shouldn't leave significant security decisions to end-users if you can help it. It would be better to have a system that examines the content of the file, and then applies a RMS policy to the file based on the contents. End users might be able to have say in the policy too, but there should be admin controlled policy enforcement as well.
RMS solves a multiple of problems. If you're not using RMS now, you should investigate what RMS options are available to you and consider piloting an RMS project now. However, RMS isn't fool-proof. While rights management policies can prevent a user from printing or making a copy of a document, of course it can't prevent him from taking a photo of it on screen with his cell phone camera, or for that matter, copying it out via longhand. Once you grant someone access to information, technology can only go so far in controlling what that person does with it.
Strong Authentication and Identity Management
User names and passwords are the "old way" of authenticating identity, in spite of the fact that is what most people use today. But in a world without firewalls, authentication and authorization are even more critical. We really need assurance that the person who is authenticating with our service is actually the person we think he is. User names and passwords are too easy to steal and be reused by an attacker. The current solution is two-factor authentication, where the user is in possession of some piece of hardware that only that user should have, and has knowledge of a PIN or some other piece of information that only that user should have. The combination of "what I have and what I know" is considered to be gold standard for authentication security today. Smart cards and tokens add considerably to security. Biometrics is another, in some ways even better option because it's harder to fake or reproduce and the user doesn't have to remember to carry something with him.
In the future, there should be more sophisticated methods that can add to the two-factor authentication mechanisms in general use today. For example, there are some systems that add to the 2FA method by presenting the user with a challenge, and (in theory) only that user knows the answer to the challenge. Of course, for such as challenge system to be effective, the answers to the challenges need to be highly secured, as the release of these challenge questions to intruders would be disastrous. One option would be to keep the answers to the challenge questions on the physical device the user uses, and encrypt the answers with DES256 encryption. There are other methods that can be used as well.
In addition to strong authentication, identity management as a whole needs to be addressed. You need to think about whether you want to be in the identity management business at all. If you use Active Directory, it's likely that you have other identity systems in house, and users have multiple identities for those multiple systems. How do you provision users for each of those systems? How do you sync your users' identities across all of those systems? How do you assess the level of trust for identity providers? Can you control access based on the level of trust for a particular identity provider?
These questions will need to be answered and addressed as you move into a world without firewalls. Authentication and authorization policies need to be rock solid because the entire Internet will potentially have network access to nodes on your intranet containing your private intellectual property.
Host Based Firewalls, IDS/IPS and Anti-malware
Just because network firewalls are expected to increasingly fade away in the future doesn't mean that the firewall concept itself is a bad one. The problem with network firewalls is that they are trying to do too much, and in the end, they aren't able to do what they were designed to do because they have to allow too much traffic from too many users to too many intranet resources.
But that doesn't mean that a firewall can't be valuable, just that it's time to move it from the network edge to the host computer. Indeed, one of the highest tenets of network security is "least privilege". A host based firewall is the ideal way to enforce least privilege. Your host-based firewalls are configured to allow only traffic that should be going to that particular server. If the server isn't a file server, then shut down SMB if you don't need it. If it's not an SMTP server, block SMTP inbound and outbound. Anything that you can do with a network firewall, you can do with a good host-based firewall. And with a host based firewall, you can get very granular in your policies so that the policy tightly matches the intended functionality for that server.
In addition to a host-based firewall, you want to have other functions that are available on a network firewall, such as IDS/IPS. Host IDS/IPS is not uncommon, but maybe not used as much as it should be because of a focus on Network IDS. In a world without firewalls, increased attention should be paid to host IDS/IPS and dynamic reporting systems for any anomaly found on any system by the host IDS/IPS.
Also, sophisticated antimalware software needs to be placed on each system, regardless of operating system. While many consider Windows the "low hanging fruit" for malware, that doesn't mean that the focus of the intruders is only Windows, and you should anticipate an increased number of attacks on non-Windows systems in the future.
The combination of host-based firewalls and firewall policy, host IDS/IPS and sophisticated antimalware on each node goes a long way toward protecting systems in a world without firewalls.
IPsec Server and Domain Isolation
IPsec server and domain isolation is a method you can use to make sure that machines authenticate at the network level before they're allowed access to a server. This is extremely useful because in contrast to other authentication methods that allow access to the application layer before authentication can take place, IPsec server and domain isolation enables you to force authentication of the user or machine at the network level - which means if authentication and authorization fails at the network level, the application layer is never exposed.
Server and domain isolation will become even more useful in an IPv6 world, where all communications have the potential to be point to point connections between any two connected devices (which was the vision of the original creators of the Internet). IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. When combined with other methods discussed in this article, IPsec is a powerful technology that will enable a high level of security in a world without firewalls.
Not all traffic needs to be protected by IPsec. Web connections (HTTP) can be secured using SSL/TLS encryption. Or, you can pair SSL/TLS with IPsec to create an even more secure scenario. However, in many cases IPsec might not be the best solution because you don't have control over the identity management infrastructure of all parties that might need to use encryption to access resources on your network.
This is where SSL becomes useful. All connections to your web resources should require SSL encryption, and at the highest level that you can reasonably support. Ideally, you will be able to use Suite B algorithms to secure your connections. Keep in mind that in the world without firewalls, SSL is about encryption and data privacy; it doesn't not solve the authentication and authorization issues outside of the fact that your authentication algorithms can run from inside the secure SSL tunnel.
Service Hardening and Attack Surface Minimization
Finally, there's the issue of the nodes being accessible over the Internet in a world without firewalls. We've secured the data with RMS, we're using host-based firewalls, host-based IDS/IPS, maybe IPsec, maybe SSL, and some sophisticated anti-malware. We can complete the security circle by making sure that that the attack surface on the node is as small as possible and that all services on the node are hardened - so that only legitimate input is accepted from authenticated and authorized users. Invalid input is rejected, and any input from an unauthenticated or unauthorized user is rejected.
In a Windows world, you can do this on Windows Server 2008 R2 servers by using the Best Practices Analyzer and security configuration hardening guides. In addition, you can deploy Windows Core server, which removes even more of the potential attack surface. If you deploy the servers with only the services you want available, and harden those services, you'll go a long way toward improving your overall security in a world without firewalls.
In this article, I talked about some things you can do to secure your environment in a world without firewalls. While at first blush it might appear that security will be a nightmare without a firewall, a deeper look at the situation reveals that it might not be nearly as bad as you might think - and that in the end, if you use the methods and technologies discussed in this article, your overall security posture can be better than it was when you set up a firewall at the edge of the network and called it "secure."