Security Planning Prior to a TMG or ISA Firewall Replacement
As the TMG firewall fades away into the sunset, it’s important to remember that there are still many, many companies running the TMG firewall. And why not? It’s still a great firewall and it continues to work. It will be supported by Microsoft for another 6 years or so. Given that, it’s no wonder that so many of you aren’t feeling the compulsion to quickly replace our beloved firewall.
While I agree that you don’t need to “feel the burn” right now, I do think you do need to be aware that the heat is slowly increasing. Six years go by far more quickly than it ought to and the complete end of the TMG firewall will come, so the earlier you start making plans for that sad day, the better off you will be.
There are a number of good firewalls out there, and you’re going to need to think about what your requirements for those firewalls will be. How to pick your ISA/TMG replacement is something that we’ve discussed in the past, but what we didn’t delve into is the “big picture” that goes along with migrating to a new security solution. If you’ve ever bought a new piece of furniture, you know that rarely can you just bring it into a room and plop it down; inevitably you’ll find that some of the existing pieces and accessories need to be rearranged or even replaced to accommodate the new item.
That means more work than you might have anticipated, but let’s look at the bright side. As with most big changes, this one presents an opportunity. Getting a new firewall more or less forces you to review your overall network security status and policies, just as getting a new sofa makes you reevaluate the whole floor plan and decor.
During the review process, you might discover that entropy has taken place and things are not exactly as you might want them to be. If your network security policy was created several years ago (or in the 1990s), you might find it to be a little out of date and in need of a good dusting off and some revisions. Now is the time to modernize your security policies and think about how your firewall integrates with them.
Pinpointing your requirements
The first thing you’ll want to do, before you even start to think about the firewall brand and model you’ll eventually get, is to identify which resources absolutely must be secure. After doing that, you can determine order of priority. As an example:
- Mission critical resources on which your company depends
- Redundant and back-up systems that are used for fault tolerance, backup, and disaster recovery and business continuity
- Secondary systems that are used for uptime and performance enhancements
- Base systems that provide the core infrastructure capabilities that are required to run the applications your business needs to run and give it a competitive advantage
Now we can get into to the network security piece of the equation. What you need to do here is identify minimum security requirements for all of your connections to the Internet and other off-premises locations. Some, although not all, of these locations might include:
- Employee remote access VPN connections that provide access to the corporate network from home and other off-premises locations
- Site to site VPN connections that are used to connect the main office to branch offices
- Employee and vendor broadband (DSL, cable modem, etc.). These are the network connections that your employees and the employees of your partners use to connect to your corporate resources
- Vendor access points; these might be over a VPN connection or some other transport that provides access to internal network resources
- Business-to-business access; these connections allow you to work more quickly with your key partners, often through direct link between organizations
Assessing your network
We’d all like think that we’re on top of everything that’s going on in our network. For some of us, that’s definitely the case. But, many of us don’t have a holistic understanding of our networks and the connections between different resources on that network. This is especially likely to be true if you came onto the job after the network had already “grown that way.” In that case, it’s time to do a complete inventory and assessment of the network.
That might sound a little daunting, but this is a critical task. After all, you don’t know what you don’t know! The network security team needs access to this information so that they can come up with security requirements for the new firewall that will replace the TMG firewall. And don’t leave out the most important part of performing such an assessment: Document, document, document.
Does your security team have quick access to the following network documentation?
- Network diagrams of routers, switches, wireless access points, VPN concentrators and cable pathways
- Performance data and trends in that data that will help define the performance qualities that are required of the TMG placement
- Protocol profiles that provide insight into which protocols are used over the network as well as which ones are used more than others, so that the TMG firewall replacement will be able to optimize those protocols
- Locations of key servers that provide data access for the organization, so that the network can be optimized to provide access to those data points
- The location of the access points to various security domains throughout your network infrastructure, the physical and logical demarcations for those access points, and whether you have choke points in addition to access points
- Your vendors’ point of contact information (ISP, telco, firewall, switch, router, etc.)
Upholding business priorities
It’s not just about the firewall and its capabilities. Remember, the firewall exists within a complex ecosystem and it’s a key player in that ecosystem. In order to understand how to deploy the new firewall, you will need to help your security group understand the order in which business functions need to be restored in the event of a widespread outage.
- The security response team must have a full understanding of which systems need to be restored to full operation and in what order. With that understanding comes an analysis of where to place the firewalls that allow access to those systems and any distributed firewall policies that can be used to ensure the correct order of operations.
- The order of operations must match your business objectives and priorities. Here is a critical rule: don’t make assumptions about this. Contact service administrators in your organization and get a well-defined set of requirements for those services. Make sure that you and the service administrators have a common understanding and be sure that common understanding is on paper. You’ll be glad you did this if and when “something bad” happens.
Incident response plan
Security incidents are going to happen; that’s just a sad fact of life. When they do happen, how do you respond to these incidents? Human nature is funny; for many of us, the natural inclination is to first put our heads in the sand and pretend it didn’t happen. It’s okay to do that for about 15 seconds, but after that, you need to snap back into reality and act.
If you’re going to respond as quickly as possible, you need to have a plan in place long before an incident occurs. That means you need to think about your information disclosure policy as it applies to communications about security related events as they occur. Here are some questions to ask:
- Which information do you need to share with others in your organization? Even before you define who those others are, think about what information needs to be shared with “somebody”
- Once you figure out what information needs to be shared, who are you going to share it with? Internal organizations? External organizations? Partners? The government? Your customers? Anybody else? Make sure you know with whom you must (by law or industry regulations), and with whom you can choose to share or not.
- What are the circumstances that will trigger and information sharing action based on a security event?
- What is the critical information that must be shared with those who consider the information mission critical to their operations?
- Who needs to share what information and with whom? There should be a number of specified officers in your company who can and will share the information based on their own points of contact. Some of these officers would commonly include the Chief Security Officer, Chief Legal Counsel and HR representative
How do you document, distribute, and follow up on reports of security events? There are a number of different events that require this. Some examples include:
- Access denied responses
- Failed login attempts
- Failed and successful attempts to access holes in the system that could represent back doors into critical and non-critical systems
Out of band modes of communication are required to support systems when the main network is under attack or has otherwise been compromised. This will allow you to communicate when service operations have been compromised to the extent that communications are impeded. Some out of band communications methods you can use include:
- Cell phone voice communications
- Cell phone TXT messaging
- FAX machines (you can’t much more out of band than that)
The on-going process
Always remember that security is a journey, a process, and not a destination. You need to define a schedule for updating your processes and testing the efficacy of your processes. Before you do that, you’ll want to ask the following questions:
- Are your policies and procedures reviewed and updated on a regular basis (quarterly, bi-annually, annually)?
- Which departments need to be involved? Some of them might include IT, HR, legal, upper management.
- Do you run regular test scenario to drill your systems and your procedures? This is the only way you’ll know that your policies and procedures will be effective when the time comes that you’ll need them.
Security professionals need to have a tight relationship with attorneys and human resources. What you do has major impact on what they do and vice-versa. You’ll need to review the legal aspects of your security policy and procedures and work with your HR department and legal counsel. Some things you might want to discuss with them include the following questions:
- Are your security policies enforceable?
- Do your security policies and procedures conform to local, state, and federal laws?
- Do you perform the requisite due diligence to protect confidential information (and more important, can you prove that you do)?
- Are there explicit procedures in place to enforce chain of custody for documenting an intrusion?
- Are the security team and IT, as well as the company as a whole, protected in case of a severe intrusion?
- What would be the impact from a risk perspective if an attacker were to penetrate the systems of a partner company that has access to your systems?
- What are your liabilities if confidential data (corporate, vendor, customer) is taken and used by an intruder?
While we all will rue the day when we must put the TMG firewall to bed and leave it in its final resting place, we can still take advantage of the situation by using it as a catalyst to see how a new firewall will fit into our overall security strategy and review our current security position, policies and processes. I hope this article has provide you with some food for thought in that regard.