You may be wondering why this article is titled “Death of the Layer 2 Firewall”. We are coming upon a new year, firewall’s and other security appliances continue to evolve. With that, new and efficient ways to secure your perimeter and endpoints are being introduced.
Layer 2 and 3 firewall configurations are decreasing and layer 4 and 7 firewalls are becoming more predominant. Important features such as content filtering, Geo-IP filtering, and Malware/Antivirus Scanning are taking the appliances to an entirely new level and making a security teams job easier.
Last night, I was configuring a few demo devices for my home network, needless to say, provisioning has become much easier for firewalls and access points, even easier to secure your network. I blocked 15 countries and enabled antivirus scanning on my perimeter firewall in less than 15 minutes and another 5 minutes to block content on the access point’s firewall, the longest task was re-booting all my devices to join the new wireless network SSID’s. For my kids, I blocked all social media and all NSFW content, for our streaming SSID, I blocked everything but streaming content services, on our general SSID, I blocked everything that I configured for the kids’ SSID, less blocking Facebook. All in a matter of minutes!
In the past, security teams would generally create inbound/outbound deny rules in ACL’s for entire countries, now you can use Geo-IP filtering to select countries and block them by clicking on a check-box. Along with blocking entire IP blocks, the previous best practice to blocking content was creating rules to block IP’s and URL’s of questionable content or content deemed by organizations as banned content.
Tiered security is the best practice for securing your assets. Scenario: A remote user happens upon a website that is infected with malware, or even worse, ransomeware. Well, if the user is not connected to the corporate VPN and they do not have endpoint security, they are toast and chances are, they will be calling you very soon to say they need a replacement laptop by tomorrow morning! This is one example why you still need endpoint security. Anti-malware and Anti-virus features on a firewall only scan traffic from the outside perimeter of the endpoint requesting the data. It is commonplace that your internal-to-internal communications are not hitting the firewall, therefore, a virus will not be detected that is traversing your internal network. Some firewall vendors are taking endpoint security a step further, have made available a client that installs on each workstation that uses behavioral analysis to detect viruses and other malicious programs -effectively removing the need to download 300MB-500MB signatures daily or weekly.
In 2016, when a National Security Agency tool was sold at an online auction, bad actors incorporated the tool in ransomware that exploited the SMB service. Infections started in Asia and made its way across the entire globe in less than 12 hours. Healthcare, Manufacturing and Education institutions were dead in the water and had to resort to paper work. Luckily for me and the organization I worked for, I just replaced my two firewall’s with next-generation firewall’s. Starting at 9 AM, I began checking the summary page and saw multiple connection attempts to TOR sites. After digging a little more, I had a handful of users that were sent email’s to Office 365 and they executed the file. Once the file was opened, the application tried to negotiate a handshake to the TOR site, with content filtering and Geo-IP filtering enabled, I was able to stop the ransomware from running the payload, thus saving our network. So, I can confidently say, yes I have been sitting behind the desk protecting networks and not just private-sector networks, but also government agencies and U.S. Military networks -war games are fun, three monitors up with Wireshark, Kiwi Syslog and another tool with 4 empty cups of coffee on your desk, but I digress.
In summary, if your organization is still using a firewall capable of only layer 2 and layer 3 protections, start looking at next generation firewall’s. If you have a next-generation firewall, ensure all security services are turned on and properly configured. Within content filtering ensure you specifically block encrypted sites (that is what ransomware uses to authenticate and release the payload). If your organization does not do business with organizations outside the United States, then block countries, if your company does do business with organizations outside the United States, you can still block that country, but put the foreign organization’s IP address in the whitelist for Geo-IP filtering. If you run a Voice over IP system whether on-premise or in the cloud, exclude your VoIP subnet from being scanned, as this degrades the voice streams quality.
Jonathan Ingram was a Solutions Architect now he and his family own Premier Broadband & Consulting, LLC. a managed services company specializing in servers, storage, networking, cybersecurity, and services. He has designed and deployed top vendor firewall’s and security solutions, conducted network security audits on public, private and Defense-sector networks. A U.S. Military veteran spending multiple days at a time defending U.S. Military assets from bad actors, assigned at different times to the U.S. Navy’s red team and blue team.
Comments are closed