Compliance Unfiltered is TCT’s new podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Firewalls
Quick Take
Everyone knows the term “firewall” but not everyone understands how to set up a firewall, who in the organization needs to be responsible for firewalls, and what the hell a firewall is in the first place.
Have a small organization and think you’re too small to be found by cyberattackers? Have a large organization and think you have all your bases covered? This episode breaks down, step-by-step, how to ensure you aren’t overlooking key maintenance issues that could spell disaster for your security.
In this episode, we discuss:
- Why you should care about firewalls
- A war story of an actual attack
- What is a firewall, really?
- What you should be doing with firewalls, and where to start
- Ongoing firewall maintenance
- Common challenges to watch out for
Read Transcript
Intro
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Intro
Now, here’s your host, Todd Coshow, with Adam Goslin.
Todd Coshow
Well, welcome in for another edition of Compliance Unfiltered. I’m Todd Coshow alongside the one and only Adam Goslin here with all of your compliance knowledge. Adam, how the heck are you today?
Adam Goslin
I’m doing fantastic.
Todd Coshow
Good to hear, good to hear. I’m excited about this episode, actually not because this is something that I thought we were going to talk about, but just because this is kind of one of those bi -popular demand topics that we’re covering today.
Todd Coshow
And just looking at the overall kind of interest, I would say in the content that we’re putting out at TCT, we’ve noticed that there’s a substantial bit of interest in the world of firewalls. Adam, what the heck is a firewall? Why do people care?
Adam Goslin
Well, you know, I wanted to start with just kind of waving a flag for, you know, for if you’re listening to this podcast and you’re on the, you’re more on the business side, um, you’re not one of the, not one of the gear heads, um, seriously, do yourself a favor and forward this podcast over to the, over to the, to your favorite gear head, uh, and have them listen through it because honestly, there’s going to be a ton of valuable information, uh, in this particular episode. So that said, as I look at a firewall, effectively at a high level, it’s the, it’s the traffic cop it’s, it’s making, um, you know, it’s configured to make decisions about, you know, what data and what information is allowed, you know, into the environment, can leave the environment. Where can it go? You know, from a, you know, from a high level perspective, that’s a, that’s a good starting point.
Todd Coshow
Yeah, that’s fair enough. I mean, basically, I have to ask for as many years as you’ve been in the information security space, you have any good stories, any war stories about firewalls and you know, firewalls gone wrong and why this really matters so much.
Adam Goslin
Yeah, actually, the best the best story that I’ve got is, is that, and this actually happened before, like, right, right as I was starting to get into the security and compliance space. And I had an opportunity to, you know, one of the folks on my team said, Hey, you know, Adam, you need to come in here and take a look at this.
Adam Goslin
And so I go into the server room, and we’re literally staying there staring at a console. And, and it was it was it was a interface that was showing literally an attack in progress there, we were standing at the console and watching these attackers
Todd Coshow
In progress?
Adam Goslin
In like it like active live in progress. We were actually watching these, these hackers, running scripts, you know, kind of against the environment. And what ended up happening was is we started to, you know, number one, we see this, and we’re like, it’s not us, not us, not us. Okay, we ended up just pulling the plug on the, you know, on the machine, and started to, you know, started to do the digging and the analysis and things along those lines. Well, quite frankly, the only thing like literally the only thing that saved this particular company from just having it’s butt handed to them was that was that they, the attacker script blew up, and failed right in the middle of run. And, and that was the only thing that you know, that happened to, you know, happened to save us from, you know, from things going horrifyingly wrong. And we started to do an investigation into Okay, so what happened, you know, sort of logs and trying to piece this all together.
Adam Goslin
And as we’re staring at these logs, we kind of could start tracing it back. And it was fascinating. The, the company, you know, the first the kind of the first attacker, you know, hit the happened to hit the IP address of the of the firewall. And, and basically, it was like, are you alive test, right? And so we see the are you alive test comes in? Yes, I’m alive. And then all of a sudden, that IP would go away. Let’s say that IP came out of like, you know, whatever, Ukraine, right? So the Ukrainian IP goes away, about 30 seconds later, then then there came in four different IP addresses from all over the globe. So there was there was one in France, there was one in South America, there’s another one in Russia, you know, and another one in Africa, come in and they’re all now saying, Okay, I’ve got a live box. Now I’m going to see what type of a device this is that I found. And so they were you know, they were doing one was checking to see if it was a you know, if it was a website, or another one was seeing a file server, etc.
Adam Goslin
Those four did their initial sniff test round, they go dark, then 30 seconds later, another round of probably 12 different IPs from all over the globe come in. Now that they’ve gotten the answers or the responses from what types of type of a box or what type of accessibility they’ve got, those ones come in doing more directed tests against, you know, against that particular IP. And you could just see this stuff coming through in waves. And that was all kind of the precursor that we could see through the, you know, through the logging, you know, which led to them finding a hole in the firewall, being able to get through to a box and start actually running attacks on the device itself.
Adam Goslin
It was it was it was absolutely eye opening, you know, going in and seeing what all had gone on with this, how automated it was how, how advanced they were. And keep in mind, Todd, this wasn’t this wasn’t like last year right. This was this is like 15 years ago. So, you know, I mean, how much better are they now? Right? I mean, it’s, it’s absolutely nuts.
Todd Coshow
Exponentially, I would imagine it’s that is crazy stuff. Let me ask you what’s wrong with companies thinking that they’re like too small? I mean, I know that that we have a lot of folks that listen to the show that are, you know, kind of that small to mid market business. And they’re not necessarily concerned about like, why would anybody want to hack me? What do you hear those folks?
Adam Goslin
Well, and the way that I relate it to people is this, is that you remember a long, long, long time ago in a land far, far away when you’d have your unlisted number, right? You’ve got to pay to get your number unlisted. And then of course, when the phone rings and it’s some sales guy or sales girl, you know, they, that is basically just randomly dialing numbers. So, you know, they dial the area code one, one, one, one, one, one, and then they try one, one, one, one, one, two, three, four. And, and so they find the number that’s unlisted and everybody’s like, oh my God, this is horrifying. We pay for our number to be unlisted. How did they ever find us? You know, and, and it’s just the, you know, the, the robocall, you know, random dialers just trying number after number after number.
Adam Goslin
Well, in the, in the technology world, every, you know, every machine that sits out on the internet has effectively a phone number. It’s a, it’s a four different digits separated by three dots. There’s, you know, kind of three in each section. So what they’ll do is they’ll go to one dot one dot one dot one and run their test and one dot one dot one dot two. So it doesn’t matter. It doesn’t matter. If you are the big multinational corporation or you’re the, you know, the small, the mid -market player, it doesn’t have anything to do with how large or how small you are when it comes to these folks, basically, rando dialing servers. Yeah. I mean, they’re just looking for an open, open machine, and then we’re going to see what all we can go do with it. So it does not matter. If you are, if you’re large or small, you are getting found.
Adam Goslin
And the interesting part is that if, if somebody goes in and they, you know, they want to validate this, right, just go in and look at your firewall, go look at the traffic that’s hitting it, and you’re going to see, I’d say on, on average, anywhere between at least five to 10 different sniff test random attacks daily, you know, against your, against your firewall.
Adam Goslin
So this notion that, well, I’m too small and they won’t care about me, it’s got nothing to do with it, you know, and it’s really one of the big, one of the misnomers, you know, in the, you know, in the space, especially for the, for the smaller organizations.
Todd Coshow
No, and that’s great information to have and no this really comes on to the question if you made it this far into the podcast I’m really appreciative of that fact that you still have this question But I think we should come on to it now Adam because it makes a ton of sense all this talk about firewalls What the hell is a firewall?
Adam Goslin
All right, well fair warning we’re gonna we’re gonna need to get into a little bit of technical depth here So so we’re about to dial up the technology ratchet You know that bottom line is is that the firewall is controlling all the flow that comes into and out of that environment It allows the ability to lock down You know lock down the traffic so I can lock it down to say there’s only specific Sources that can come in and hit and, and. and hit this particular This particular machine within my environment.
Adam Goslin
So as an example, you know, like a web server You’re probably gonna leave that either, you know open to the internet You know any anybody can come in and hit it or if you want if you because of your business you can seclude that traffic To you know to North America or do it geographically then you’ve got that ability to go lock that down The other part is, is that you’ve got the ability to lock down the destinations for traffic And that’s really an important an important element when it comes to firewalls Is that you know,
Adam Goslin
a lot of folks will sit and spend a whole ton of time, you know Worrying about well who can get in and where can they come from and blah blah, blah, but then they miss the you know Hey, I need to control that outbound flow.
Adam Goslin
Why well if you’re one of these poor companies like the look like my first You know first kind of war story if you will if somebody breaches the outer defenses happens to get on to the internal network Well now we want to be able to, to limit where all can they expunge data to It’s an important aspect of that as well And then keeping in mind from a from a firewall perspective any particular IP address or machine that you’ve got There’s really two main kind of channels of communication for, for each individual machine There’s both TCP it’s once called TCP and one’s called UDP and on these two channels You’ve got over 65 ,000 different ports across each of those so I’ve got over a hundred and thirty thousand potential ports that I can configure Inbound or outbound for each individual machine that sits on the you know sits on the network So,
Adam Goslin
you know at the at the end of the day There’s a there’s a lot of ways to be able to lock these devices down to what’s needed But there’s also a ton of ways that people can you know Leave things more open than they you know, then they should and so you’re kind of the risk goes up if you will
Todd Coshow
That makes sense but why what should client you know what should people be doing about
Adam Goslin
Well, you know, at the root of it, there’s a there’s a premise in the security and compliance space of locking things down to only that which is needed and that’ll really be, you know, really be the objective here is to is to accomplish that goal.
Todd Coshow
And I mean, where should you really get started on this as you’re looking to get it to undertake it?
Adam Goslin
Yeah well, it depends on the maturity of the organization. I’m gonna go under a guiding assumption that the organization we’re talking about either has never done this before, or is wanting to just reassess kind of what they do. So what I’d recommend to folks is the very first thing is, you need to document all of your existing firewall rules. So what I typically recommend is go put those down into, it’s great that they sit on the firewall, but you really wanna go ahead and extract them out of the firewall and put them into some consumable format. For a lot of organizations is that, that’s maybe Excel or maybe they’ve got a tool for, a secondary tool for managing their firewall rules and whatnot, but go ahead and get all of the firewall rules.
Adam Goslin
When I say all the firewall rules, you wanna make sure you’re hitting all your firewalls when you’re going through this process. So today’s day and age, you’ve got a corporate environment, I’ve got n number of sales offices, or maybe a development, maybe a location where my developers work out of and whatnot. So make sure that you’re going in looking at each of those. Also going to, if you’ve got third -party hosting, maybe you’ve got a colo facility or whatnot that you operate out of, include that as well.
Adam Goslin
And then also look to any of the cloud services that you’ve got for any of your virtual environments, then go ahead and look at those as well. But you wanna make sure you at least have gathered up all of the individual rules across, all of the firewalls that you’ve got.
So you really have this full picture of, of what all exists out there. The next step that you wanna do with each of those rules is go ahead and add a new column or have the ability to take notes or whatever, and write up business justifications for each rule.
Adam Goslin
Now that sounds dumb, but the reality is, is that as you go through this process, it’s actually gonna be very enlightening for the company that hasn’t done this before because I can’t tell you how many times, I’ll be going out, we’re working with a client and we’ll pull all the firewall rules and we’re kind of going through them and whatnot. We’re sitting in a group and I’ll say, okay, so why do we have this rule? What’s it doing? And everybody kind of looks right. Nobody knows what it’s being used for and whatnot. It happens more times than you can imagine.
Adam Goslin
So go through each individual rule, and this is kind of with a purpose, right? Write a comment beside each one, and here’s the important element. Why does the rule exist? I don’t wanna know what it does. I wanna know why is it there? And what I mean by that is in form of an example is, I’ll see a firewall rule which will have, be basically allowing web traffic into the web server. And so the gut response from the folks in IT is, well, this allows web traffic in.
Adam Goslin
Oh, all right, that’s great. But why? Why are we allowing the web traffic? For what site or sites are we committing the traffic to come through there? What’s the reason why we have to have it open to the outside world?
Adam Goslin
And some of this may seem apparent, but going through that exercise and breaking it down to the notion of the why of the rule, not what it does, forces thought into is this a real justifiable rule that we really need to have it, et cetera. Evaluate each of those rules based on your justification. So now that I know why this rule should be there, now I can go in and look, is this rule really as limited as it needs to be? So as an example, if we’re allowing web traffic in for a particular vendor to be able to push data over the common web ports and over port 443, should that be open to the entire universe or do I know the IP address of the vendor that I’m trying to facilitate? Well, great. Then let’s go lock down that particular rule, since we don’t need anything else, to only allowing that traffic from that particular IP address, because now I’m not opening that rule up to the entire world, I’m just opening up to what I need.
Adam Goslin
And then finally, updating the documentation. I mean, as you start iterating through these various firewall rules, you’re gonna go in, you’re gonna be making updates and changes to the firewalls themselves. You’re gonna be updating your documentation of those firewall rules, rinsing, repeating, until you’ve gotten through all the way down through those rules, making sure that you’re keeping everything aligned.
Adam Goslin
And the other caveat I’ll throw in here is, and this is an area where folks get a little nervous, right? Oh my God, we’re changing the firewall rules. We gotta be really super careful, we’re gonna break stuff, et cetera. Yep, you are absolutely spot on that going in and tweaking your firewall rules will have a potential for blocking necessary traffic and whatnot. So it’s important to kind of do this on a sanity check kind of combined basis where I go in, I evaluate the rules, I kind of stage up all of my tweaks and whatnot, make my tweaks and adjustments and then go back and do some type of kind of functional testing to make sure I didn’t break anything as I kind of went through that.
Todd Coshow
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow
Adam Goslin
And I’m Adam Goslin. I hope we helped to get you fired up to make your compliance suck less.
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
