The Evolution of Defense-in-Depth

This post was written by Dan Cole.

As enterprises continue to shore up their defenses in anticipation of the next breach, it’s understood by many security professionals that it’s not a matter of if it happens, but when. And when it does, how soon they would know before the attack has completed its cycle.

To offset these upcoming threats, perimeter security experts have been doubling up on their defense solutions, layering security from the very edge of their perimeter (Firewalls, IPS, NGFW) to the deep core and asset point (end point software, application firewalls, etc.) of their IT infrastructure. This was done to not only prevent a breach, but to buy time for organizations to respond to such attacks. As I described in my earlier blog, Defense-in-Depth is very much like a “Castle” approach in building your IT security infrastructure.

But much like the castle illustrated here, by building such defense mechanisms chasms are inadvertently created. Translating this to the cyber realm the chasms represent the response time between and during ongoing attacks.

Now on the flip side of the coin, as cyber warfare incorporates both offense and defense strategies. The offense approach, which is structured and labeled by the military (as most things are) as the Kill chain. Simply put the Kill chain, from a military model perspective includes the following:

  • Target identification
  • Force dispatch to target
  • Decision and order to attack the target
  • Destruction of the target

By adapting this structured approach, Lockheed Martin coined the term Cyber Kill Chain model, like Defense in Depth, yet the opposing approach which is to attack an IT infrastructure. The perspective of the hacker if you will.

These steps include but are not limited to the following:

  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command and Control
  • Actions on Objective

Today, attackers who have successfully penetrated classic Defense in Depth models, have leveraged an adaptation of the Cyber Kill Chain. So what’s the delta? What do IT experts need to incorporate into their defense strategy to help mitigate against such advanced attack approaches?

Defense in Depth with Intelligence

As discussed earlier one of the biggest challenges with the classic defense in depth approach is the inadvertent chasms that are created. These chasms are essentially people, process, and product related.

In larger enterprises there are multiple IT departments, with various responsibilities regulated based on assets managed. Network engineers may not necessary know or communicate to the security engineers. Although aspirations are to insure that process’s followed are global and relevant to all IT infrastructure touch points, in reality they are rarely followed. Lastly, products that are purchased and then deployed into the Enterprise are usually incompatible with each other, resulting in a differing log languages and management structures.

Although the people and process are valid challenges and problems that will need to be tackled, my responsibility as a product manager of the Network Security Products for SonicWall Security will be to insure that the chasms of product compatibility with adjacent security technologies are closed. The initiatives launched with our Connected Security vision will help in understanding these challenges better, as we ourselves being part of the SonicWall technology family need to bring various disparate technologies together to build a solution that will work for not only our customers but for ourselves (at SonicWall ).

One of the biggest challenges and approaches to minimizing this divide is by building a security communication framework in which all of our products can communicate using a common language. With this ability we would be able to make our products and other devices within our customer’s security infrastructure to respond and alert intelligently, minimizing the intervals between the attack cycles incorporated in the Kill Chain model.

As we and our customers continue to shore up our security infrastructure for the next generation of cyberattacks, the existing Defense in Depth model will need to be adapted and upgraded with intelligence. With intelligence we will be helping our customers in addressing the chasms within their castle.

Increase Your Network Security and Control Through Segmentation

When you think about securing down a network using a next-generation firewall, in most cases the process immediately goes from the Internet to the local area network (LAN). This may be a good way of thinking if you only have hard wired desktop clients. However what if the network includes servers that need inbound access from the Internet or a wireless network? What steps can you take to protect a network that’s a little more sophisticated?

Let’s look at an example of a small network where the user has a few desktop clients connected to the physical LAN, wireless clients and a storage server. For this specific use case the network segmentation is set up in the following way. The LAN network has all of the desktop clients, a wireless LAN (WLAN) network for the wireless clients and a de-militarized zone (DMZ) where the storage server is connected.

From the LAN, clients are allowed to get to the Internet, but access to the other network segments is blocked. This includes the default policy to block all incoming access from the WAN or Internet.

For the wireless users, they can get to the internet but are blocked from accessing any of the other network segments. In order for the wireless users to access other network segments they must authenticate to the firewall. Once authenticated, each wireless user can gain access to the other network segments as needed. This was done to increase security from the WLAN and prevent unauthorized access to the other network segments.

Finally, on the storage server segment, the default policy is to block access to all other network segments. This is done to ensure that if the storage server was to become compromised by a vulnerability to its software it would not allow a hacker gain access or malware to spread to other network segments on the LAN or WLAN. For WAN access, all traffic is blocked, although a specific set of ports is allowed to provide the ability to automatically update the software on the storage server.

Now you may look at this and be thinking this is overkill for such a small network. However being in the security industry for the past 15 years and educating partners and customers on proper network designed I figured it would only benefit my own network security by implementing a security design that limits access between network segments.

While I’m not saying that all networks need to have this level of complexity, it is a good idea to think about network segmentation and not put all connected devices on a single segment just because it’s easy. The network segmentation will help to control traffic not only north and south, but also provide controls for traffic going east and west between network segments.

SonicWall NSA Next-Gen Firewall Series

With the SonicWall firewalls it’s possible to create a wide variety of segments using either physical or logical interfaces or the internal wireless radio if available. Once an interface is defined, you can then apply a zone classification such as LAN, DMZ, WLAN or custom, and from there apply policies to control access between the various segments and limit unauthorized access. For increased security you can also apply authentication requirements as well. To learn more about how SonicWall next-generation firewalls can help secure your network read the “Achieve Deeper Network Security and Control” white paper.

Is Your Firewall Scanning SSL-Encrypted Traffic

If your firewall isn’t scanning SSL-encrypted traffic, then your network isn’t as safe as you think.

Some reports indicate that by the end of 2016 two-thirds of all traffic on the internet will be encrypted. In fact, the 2015 SonicWall Security Annual Threat Report discovered a 109% between January 2014 and January 2015. Are you prepared? Most network administrators may not even know a majority of the traffic that is moving in and out of their network is encrypted and this traffic could be a potential source for malware to enter their network or even worse, allow known intrusions to be exploited.

As we’ve seen this year, more sites with advertisements that are not hosted or controlled locally are being used to spread malware. Therefore, this allows hackers to exploit those vulnerable end-point systems. With more websites and search engines leveraging encryption, it’s possible that users who are going to legitimate websites or doing legitimate searches are more exposed to these types of attacks because the edge security device does not have the capability to decrypt, scan and determine if something harmful is embedded in the encrypted payload.

As the Internet landscape continues to evolve so too do the security requirements. If you’re using an older Stateful Packet Inspection or UTM appliance that does not have the ability to decrypt SSL encrypted traffic, it could leave your network and users exposed.

Here are some things network administrators should consider when choosing a product that will support SSL decryption to be included as part of their overall security feature set.

  • Does my current firewall have the ability to decrypt and scan SSL-encrypted traffic?
  • What is the performance penalty if I enable this on my current firewall solution?
  • Is the SSL decryption required for outgoing connections from endpoints only?
  • Are there requirements for server-side SSL decryption?
  • How flexible is the control over which sites (e.g. banking) are not subject to SSL decryption?
  • Do I have a way to distribute the certificates easily for all device and OS types?

If SSL decryption is not something you have included as part of your overall security strategy, it should be. With more and more encrypted data moving in and out of your network, the possibility that you will be exposed is growing. As part of the overall SonicWall security strategy, DPI-SSL is a feature available on all next-generation firewall products including the powerful and scalable SonicWall NSA Series appliances.

Picture of SonicWall NSA models stacked on top of each other

To learn more about the robust security offering from SonicWall review the following eBook: Achieve deeper network security and application control:

Six CyberSecurity Tips for the Holiday Season

The holiday shopping season is also a big season for cyber-criminals to breach high-traffic retailers. Forecasting from trends I have seen over the past 18 months, here are six security tips on how to protect your retail business. These often-overlooked recommendations are not limited to the holiday season, and you can implement them at any time:

1. Know what is connected to your network. Do you allow employees to use their personal devices to connect to your network? A favored penetration path is through unprotected devices that come on the network. First off, insist that everyone has current antivirus software loaded on their devices. Moreover, use a firewall that knows what is on your network, can enforce which applications people can access, and provide a high level of granularity to restrict access to non-productive applications (or sub-applications, such as games on Facebook).

2. Update your software. During 2015, numerous security updates were pushed to customers of browsers, operating systems, plug-ins and applications. Often overlooked during the year, software updates are the easiest way for cyber-criminals to compromise your network, commonly through outdated applications. This drafty window into your business can be easily shut. Before the holiday season gets under way, have your PC users spend an hour at the end of the day to update software (it often requires a reboot) and make sure your apps (especially Java) are up to date. Encourage users to do this monthly, insist on it quarterly.

3. Change your passwords. While you may not have been enforcing a change in passwords to access your network on a regular basis, it is a fast and easy way to close the door on insider-initiated breaches. Over the past year, employees have come and gone. Changing the password provides an opportunity to start out fresh. But now the problem becomes remembering the new password. One technique is to use a personally memorable passphrase that only you would know. If you feel you must write the password down, secure it in a locked drawer with limited access. You might be surprised how many make the dangerous mistake of writing it down on a sticky note placed on a computer.

4. Prepare for ransomware. Going by recent trends, there is an increasing chance that someone will get into your system, encrypt your data and bring your business to a halt unless you pay a ransom. Be ready. Make a backup daily (start today), and test regularly to make sure that you can easily recover your data off the network. If you do get hit, you then have a baseline to go back to, so you can keep your business going.

5. Secure your WiFi. WiFi can improve shopper experience and help retain customers. But do you know if your WiFi is secure? Is your wireless circuit set up to isolate your business traffic from your guest traffic? If not, consider turning off WiFi until it is secured. It is too easy to compromise a network through an insecure WiFi connection.

6. Isolate your POS. Speaking of isolation, make sure your POS system is isolated from the rest of your network traffic. That way, you close another door on cyber-thieves.

There is plenty more that can be done, but the holiday season may preclude additional immediate activities. My recommendation is to set a date after the holidays to review your security position and plan for improvements in 2016. Ask others who operate retail stores what they are doing. Or talk to a security specialist like those we have a SonicWall. They can help you build a roadmap to better security.

If you want to learn more about how to protect yourself from threats that have emerged as the internet grows, I encourage you to read our ebook: “How to prevent security breaches in your retail network.” It goes deeper into retail security and will help you to become savvier when you evaluate your security posture.

SonicWall Firewall As A Service Offers New GMS Infrastructure

Today, customers are looking for more security and insight into the traffic on their network, without the burden of managing it on their own. Increasingly managed service providers (MSPs) are being asked to deliver network perimeter protection. Meeting this demand, SonicWall Firewall as a Service (FWaaS) now offers new SonicWall Global Management Systems (GMS) as a Cloud managed services. Immediately available from SonicWall are three unique options of the Global Management System Infrastructure solution: Monitoring, Monitoring and Reporting and Fully Managed. The undeniable benefits of all of these choices is that each lower upfront costs through the monthly subscription pricing. Customers also gain enterprise-level network security to defend against the relentless global threats and malware attacks without having to worry about maintenance or support. These solutions simplify customer management and deployment of SonicWall products. These new offerings will be provided by Solutions Granted Inc. and Western NRG, Inc., our selected infrastructure providers.

SonicWall Security’s Firewall-As-as-Service bundle includes a  SonicWall next-generation firewall appliance, Total Secure/Comprehensive Gateway Security Software (CGSS) and SonicWall Global Management System (GMS). What is new is that we are giving you more options on where and how to run the SonicWall GMS, allowing you to rapidly deploy and centrally manage the SonicWall next-gen firewall. This highly effective system provides real-time monitoring and alerts, along with comprehensive policy and compliance reporting in a solution that can easily be deployed as a hosted solution.

Option number one provides GMS infrastructure with monitoring. Option number two delivers more comprehensive security with both monitoring and reporting. With these 2 options the Managed Service Provider (MSP) will run GMS and is responsible for the workload, but uses the SonicWall GMS infrastructure. The value is to eliminate the cost of the GMS infrastructure, with a monthly price instead of an upfront cost, scaling over time to accommodate growth.

The third and most comprehensive option consists of a fully managed GMS instance and execution of the managed firewall service for the VAR/MSP. The value of this service is a VAR can now participate without being an MSP. With this option you sell the service, but the delivery of that service is handled by the new SonicWall GMS managed services offerings. This expands your business as a VAR. These options all complement and extend SonicWall security products and services provider, while optimizing your business security, managing growth and easing the administrative burdens.

We invite you to tune in for a live webcast on how the new offerings in the FWaaS partner program will help you increase your sales on, Thursday Nov. 5, 2015 at 11 a.m. Pacific/2 pm Eastern.

Meet us in-person at the upcoming IT Nation 2015 conference, Nov. 11 – 13, 2015 at the Hyatt Regency in Orlando, where SonicWall Security Solutions experts will demonstrate our SonicWall Firewall-as-a-Service (FWaaS) and SonicWall Global Systems Management next week.

Retailers Are Jumping on the Wi-Fi Bandwagon

The other day I went clothes shopping at the mall with my 12-year-old son, an experience that’s usually painful for both of us. While he was deciding between “straight leg” and “skinny leg” pants I spent my time looking at the surrounding shops in the mall. Some were smaller, independently-owned stores while others were part of larger retail chains. They’re all selling something which means they all need to protect the data they receive from customer transactions.

While I don’t really understand the need for skinny leg pants, I do know that there are a ton of stores in the malls. The ones that are successful find ways to differentiate themselves from the competition. They also learn how to make doing business easier. The use of wireless is a good example. Free WiFi is a cool thing. I can keep up on email, surf the web and text my wife about my shopping experience right from the store without using up my valuable data plan. As a shopper, I like that.

From the store’s perspective, wireless serves multiple functions. For one, it’s a potential source of customer retention. According to an EarthLink Holdings Corp. study, 27.5 percent of retailers reported increased customer loyalty due to in-store WiFi. Having free WiFi available also makes it easier for customers to get product information and make purchases. In a press release late last year Gap, Inc. said, “Now, you can just take out your smartphone and shop straight from the fitting room, browse customer reviews or just jump online for fun. It’s now easier to access with free customer Wi-Fi.” What’s more, retail businesses that provide free WiFi also see an increase in customer foot traffic, time spent on premises and spending based on a 2014 Devicescape-commissioned survey by iGR. This is all good news for retailers who’ve jumped on the in-store WiFi bandwagon.

Providing free WiFi doesn’t come without some effort however. Service providers are upping the bandwidth available to businesses and WiFi speeds have increased significantly thanks to 802.11ac, both of which make for a better user experience. That’s great, and it means wireless speed is often not an issue any longer. Securing the network from threats still is though. Retailers who don’t deploy a network security solution such as a firewall to protect their WiFi (and wired) network face a number of potential risks including stolen customer and company data, financial loss and damaged reputation. There have been plenty of examples in the news of major retailers who have been experienced each of these. Were they hacked over a WiFi network? Probably not. However it’s a very real possibility. In addition to providing essential protection from viruses, spyware, intrusions and other threats, firewalls enable retailers to separate, or segment, customer internet access from employee network access over the wireless network. This ensures that the retailer’s internal network is safe from any threats customers may have on downloaded onto their personal WiFi devices. At the same time, employees have secure access to internal resources they need.

In the end, after much deliberation my son went with the skinny leg pants. I had a good in-store WiFi experience and the retailer made another sale knowing its network was safe from a wireless attack. The next time you’re at the shopping mall check to see if you can find the store’s wireless access point. Odds are the shop is providing free WiFi to its customers. If you’re a retailer looking for information on a wireless network security solution, see the  SonicWall TZ Series and  SonicPoint Series.