Make the best use of what you have before buying Yet Another Box
June 29, 2012 Leave a comment
Infoworld has an article basically saying that firewalls are helpless, blacklists ineffective, and you need Yet Another Box to do outbound deep packet inspection.
I don’t agree. People should make the best use of what they have already before piling more things into the mix. The approach of adding more hardware and software to “improve” security is like buying exercise equipment to get fit, when you haven’t used your running shoes in months. You have to make the best use of each tool you have, or all you’re doing is spending money to do SOMETHING, while most likely not improving your security.
Infoworld states the problem fairly accurately, but there are some serious holes in the description of what firewalls can or cannot do. They also give improper short shrift to the value of DYNAMIC blacklisting as part of the solution to the problem.
First, a firewall can filter traffic in any direction. It’s a matter of how it is configured. It is true that the overwhelming majority of firewalls only apply filters inbound, and allow (almost, many now only allow SMTP outbound from the authorized mailservers) all traffic outbound.
Second you can use blacklists to filter outbound connections. They correctly point out that maintaining one yourself is a lot of work, and often not much benefit. However, that doesn’t invalidate a blacklist as a very valid first filter inbound and last hope outbound. The trick is that that blacklist has to be based on real time intelligence. It has to include not just things like geography, but the currently active vulnerability scanners, password crackers, Command and Control hosts, Data Dropboxes, and malware droppers. Those systems tend to be highly dynamic, and so the list needs to be updated regularly.
ThreatSTOP provides such a service that runs on existing firewalls.
Deep packet inspection outbound can also be helpful, and adds security and visibility, for those able to make use of it. Its major weakness is that it can’t inspect a lot of encrypted traffic. Unsurprisingly, the latest and most virulent malware uses encryption, often with perfect forward security.
As with most solutions involving Yet Another Box, this is out of reach, due to cost and the operational complexity of installation and management, for most people.
The combination of:
- a well configured firewall with a dynamic block list and alerting and reporting on which hosts are going where they shouldn’t
- a cloud based content filter (like OpenDNS)
- a good host based security program (Kaspersky or Eset are consistently the best)
will vastly improve the security posture of the overwhelming majority, without busting the bank.