Question

Understanding the Evolution of Network Security

1. What is the difference between a port‐based firewall and a stateful inspection firewall?

2. To effectively address data leakage with a firewall solution, organizations should:

3. For PCI DSS version 1.2 compliance, what are the requirements that address firewalls?

4. Why are traditional port‐based firewalls largely ineffective with today’s applications?

5. Name some obstacles organizations must overcome to effectively implement DLP technologies.

Answer 1

1. Port-based firewalls -Port-based firewalls are relatively inexpensive, simple to operate and maintain, have decent throughput, and have been the old standard for nearly 20 years.

However, the reality is that these types of firewalls and their variations are simply not positioned to handle the current and emerging challenges of today effectively. Some might even consider this type of technology from the dark-ages.

Port-based firewalls are ancient in many ways and in most cases are simplistic in their approach, usually all or nothing, or in this case allow or block.

Legacy(port-based) firewalls of this type use both source destination IP addresses and TCP/UDP port data to figure out if a packet should be allowed to pass between networks or different parts of your network. They quickly scan the first few bytes of the TCP or UDP header to establish the appropriate application protocol i.e. SMTP port 25 and HTTP port 80.

Stateful Inspection Firewalls- However on the other hand, SI is a technology that controls the flow of traffic between two or more networks. SI Firewalls track the state of sessions and dropping packets that are not part of a session allowed by a pre-defined security policy. This is sometimes called session-level protection because they keep state information for each network session and make allowed/denied decisions based on a session state table.

These firewalls combine both packet inspection technology and TCP handshake verification to create a level of protection greater than either of the previous two architectures could provide alone.

However, these firewalls do put more of a strain on computing resources as well. This may slow down the transfer of legitimate packets compared to the other solutions.

2. Some best practices that the organization can use to minimize the risk of accidental data leakage include:

• Applying a Policy of Least Privilege (POLP) to Data Access. It’s hard for someone to accidentally leak data they don’t have access to it. A policy of least privilege restricts each user’s data access to the absolute minimum they need to perform their job function. Using such a policy also helps to minimize the risk of intentional data leaks, too.
• Place Restrictions on What Email Domains Employees Can Send Attachments to on Company Systems. Some email clients and applications allow you to organize people into groups or organizations and manage out-of-group communications to some extent. For example, Google Drive can be set to generate a confirmation screen/warning when sharing access to a file with someone outside the employee’s organization/group. Using these kinds of alerts can make it much less likely that data will be accidentally shared.
• Establish a BYOD Policy and Enforce It! A bring your own device (BYOD) policy can help your organization define the rules for if and how employees may use personal devices, such as smartphones, laptops, USB drives, and other devices that can be used to copy, store, and transmit data in the workplace. If such devices are not allowed (or have their use restricted) in the workplace, it can reduce the risk of accidental data leakage.
• Provide Cybersecurity Awareness Training. Employees need to know not only what the biggest data leak risks are, but what the potential impacts of such leaks can be for the organization. Providing such awareness training helps employees avoid making basic mistakes that lead to data leaks. Additionally, it can help employees identify phishing attempts and other strategies that malicious actors may try to use to steal data.

3. The PCI DSS version 1.2 is the global data security standard adopted by the card brands for all organizations that process, store or transmit cardholder data. The requirements that address firewalls are:

a. Install and maintain a firewall configuration to protect cardholder data

b. Do not use vendor-supplied defaults for system passwords and other security parameters

c. Protect stored cardholder data

d. Encrypt transmission of cardholder data across open, public networks

e. Use and regularly update anti-virus software or programs

f. Develop and maintain secure systems and applications

g. Restrict access to cardholder data by business need-to-know

h. Assign a unique ID to each person with computer access

i. Restrict physical access to cardholder data

j. Track and monitor all access to network resources and cardholder data

k. Regularly test security systems and processes

l. Maintain a policy that addresses information security for employees and contractors

4.  Reasons why traditional port‐based firewalls largely ineffective with today’s applications are as follows:

1 Limited Control

Port-based firewalls are ancient in many ways and in most cases are simplistic in their approach, usually all or nothing, or in this case allow or block.

Legacy firewalls of this type use both source destination IP addresses and TCP/UDP port data to figure out if a packet should be allowed to pass between networks or different parts of your network. They quickly scan the first few bytes of the TCP or UDP header to establish the appropriate application protocol i.e. SMTP port 25 and HTTP port 80.

2 Not Everyone Plays by the Rules on the Internet

The majority of traffic taking place on our networks today comes from the internet; however this doesn’t only come in the way of web traffic.

Organizations are dealing with newer, more sophisticated applications both for our daily lives and for business operations. While many of these applications do make us more productive and increase our efficiency, they also consume a lot of bandwidth and in many cases can increase your risk of a data leak or compliance issue.

One of the biggest problems with newer applications today is that they incorporate a lot of new methods to avoid traditional port-based firewalls such as port hopping and tunneling.

The Band-Aid to this flaw when using port-based firewalls has been to incorporate other systems to help compensate.

Often times this means using things like intrusion prevention systems, URL filtering, proxies and other expensive and complex systems. Unfortunately, today’s application and threat landscape has made this approach not only costly but mostly ineffective as well.

3 Data Compromise

Data loss prevention is sometimes considered a viable solution; however because of the size and usually distributed make-up of many businesses data, it’s almost impossible to figure out where your sensitive data is located and who owns it.

Whether between the inside or outside or between internal users and internal resources in the data center the firewall is the perfect solution to support this task.

Here’s the deal though, port and protocol based firewalls are blind to your applications, users, and content. This makes controlling any and all applications that are used to compromise data whether that’s directly or part of a larger system impossible to do.

It’s critical that you can control the all of your applications and the movement of your sensitive or private data across your network, doing so could prevent your business from ending up in the news for another catastrophic data breach. Just remember, port-based firewalls can’t provide you with this type of functionality, only a next-generation firewall can.

4 Compliance

Compliance and security regulations such as HIPAA, FISMA, or FINRA are adding constant pressure on IT teams to make sure their data protection and network security strategies are up to date and successful.

The cost of a data breach is incredibly expensive, and even more so when you consider the damage that can be done to your businesses reputation and what it might cost the individual victims.

It’s important to always remember that security an compliance while definitely related, they’re not the same thing.

The challenges posed by today’s cyber threats and mobile/application based environments requires that your firewall has the ability to track and precisely control all of your applications, while at the same time having complete visibility and control over all of the traffic flowing in and out of your network.

Again, the problem is that port-based firewalls simply don’t have the proper capabilities to meet these requirements today.

5. In protecting sensitive data from loss, DLP systems faces many challenges and like other security mechanism these challenges can render the system ineffective. Some obstacles organizations must overcome to effectively implement DLP technologies are:

A. Leaking Channels - Everyday there is need to share and access data between different medium and users, and this done with the assistance of intermediate channels. In an ideal scenario these channels are used to legitimately exchange data from one end to another, however these channels can also create a major treat in the leakage of sensitive data.

B. The Human Factor - Humans are generally a complex being, as their behaviors and motives are usually hard to predict or to determine, as they are been influenced by many factors, which could be psychological or sociological.

C. Access Rights - Access right has always been a key feature in the deployment of any security mechanism including DLP systems. Therefore it is of great importance to be able to categorize these access rights properly and to be able to separate each category of users from each other based on their level of permission. DLP systems won’t be able to prevent illegitimate users from accessing confidential information, if there is not a proper categorization of access right in place.

D. Encryption and Steganography - Encryption is another major challenge been faced by network based DLP systems, as these systems uses different forms of analytical techniques in identifying copies of the sensitive data and comparing it with the original data that are been classified as confidential. But with complex encryption of the confidential data by the user it makes it hard for the DLP system to be able to analyze such data content, thereby creating a major vulnerability in the system.

E. Data Modification - The design of some DLP systems are created to compare the original sensitive data and inspected traffic flowing through the system by using data signatures and patterns to achieve prevention of data leakages. In this system, detection occurs whenever there is a signature and patterns match to that of the confidential data or when there is a high percentage of similarity to the confidential data.

F. Scalability and Integration - The volume data processed can affect the performance of any security mechanism deployed in securing an organization’s assets. DLP systems can also be a victim of such challenges, which means when deploying them either in a host, network or storage section, it should be effective in performing its function and smoothly incorporated into the system without affecting or causing delay in the entire work flow of the organization’s system.

G. Data Classification - Data classification is the process of organizing data into categories or levels for an effective and efficient use. This definition implies that, DLP systems rely entirely on well-defined data classification to enable the system differentiate confidential data from normal data. The main purpose of classification of data is in determining the baseline of security controls to be used in safe guarding data