In Part 1 of this series, we began talking about best practices for firewall policy rules that are applied to outbound access to the Internet. In Part 2, we’ll briefly discuss the human element and then circle back to actual policy prescriptions.
Effort vs Risk – The Human Element
The firewall administrator is the person (or team) responsible for maintaining a secure firewall policy including the “outbound to Internet” rules. Sometimes the firewall admin role falls to a less experienced staff member who may not know the risks or is not aware of the best way to secure a wide open outbound firewall security policy. Another similar situation is the general IT support person that happens to also maintain firewalls. These firewall admins could be pardoned for not understanding the importance of a tight outbound policy. Nevertheless, their lack of experience is a security liability. Alternately, we also encounter firewall administrators who do not think that a wide open Internet security policy is a problem. They don’t apply a strict policy because they don’t believe in it. Lastly, and probably the most problematic, some firewall admins believe that it requires too much time and effort to maintain a restrictive outbound Internet policy even though they readily admit that loose outbound security policy is risky and should be improved. Whatever the shortcoming of the admin, a loose outbound Internet policy may only become visible after a firm is affected by a ransomware event. Until then, it is too easy for firewall administrators to overlook the weakness of the loose outbound Internet policy.
Reviewing all of the above, it can be seen that all of the causes of loose outbound policy minimize the serious risks attached to loose outbound Internet access. A sturdy security defense uses all available security controls, which are enabled and tuned to maximize their ability to stop harm from occurring to the protected assets. Command and control techniques are specifically called out in the MITRE attack framework. A wide open outbound firewall policy is a weak link in the security chain.
So how best to go about remediating the loose outbound firewall policy? As with many other technology security controls, planning is needed; but then the challenge is to keep momentum going and to constantly improve the firewall policy over time. Firewall policy improvements in general do not have a distinct start and end (yet often, it is possible to fast-track dramatic policy improvements). Either way, the work flow for improving your outbound firewall policy requires continuous improvement cycles. The cycles never completely end, but they do tend to diminish over time as the outbound policy is refined as it also becomes more restricted. To quickly summarize, below shows the rule we need to fix.
Implementing a Restricted Outbound Internet policy
Here is a summary of policy rules to be deployed onto all firewalls to control outbound access to the Internet.
- The first rule to add to your firewall policy will block your internal hosts from reaching the known C&C (command and control) hosts. Creating this rule will require obtaining a list of C&C hosts (and subnets) that are available from various online sources. Those lists need to be imported into your firewall policies. Importing can be a real challenge but is well worth the effort. Some firewalls have features that allow importing of lists while others are more of a challenge. Place the rule above almost all other rules in the firewall rules policy. When the rule is created and applied to the policy, make sure that logging is turned on for that rule so that the firewalls detect internal hosts trying to reach C&C hosts. Any log message that matches on that rule probably shows an internal host attempting to reach a C&C host. That is a strong indicator of a compromised host that is potentially infected with malware or worse, ransomware.
- Reconfigure your DNS so that internal hosts use either internal DNS servers or your ISP DNS servers. This usually means changing DHCP scopes to point to the internal or ISP DNS servers and statically reconfigure servers and other devices to point to the internal or ISP DNS servers too. Do not allow hosts to reach any DNS server on the Internet. Instead, restrict access to a narrow list of known and trusted DNS servers. Using the ISP DNS servers is a good place to start. To further tighten things up, set up two or more internal servers and point all internal hosts at those internal DNS servers. Then, only allow those DNS servers to reach Internet DNS servers. We won’t stop at allowing certain DNS traffic and silently blocking other. Instead, we will deploy rules that allow permitted DNS traffic and block unauthorized DNS traffic. Monitoring the DNS traffic using specific allow and deny rules allows for fast identification of normal and abnormal DNS traffic. Fast identification is often critical in helping to identify and halt malicious network behaviors. The diagram below shows the two rules as deployed onto a single firewall.
- Reconfigure your NTP for internal hosts so that two or more internal NTP servers are used as the clock source for all internal hosts to sync up with. Then allow those NTP servers to use a known list of Internet NTP servers. Those external NTP servers could be ISP provided, pool.ntp.org, or google public NTP. Each of the internal NTP servers should have access to those external NTP servers, but all other NTP access to the Internet should be blocked. Essentially, internal hosts should have no access to Internet NTP servers, and the internal NTP servers should only have access to a short list of designated Internet NTP servers.
Remediating DNS and NTP is just the tip of the iceberg. Many additional rules are needed to restrict access to the Internet to a safe level. In part 3, we will cover more techniques to restrict access.
Gotham Technology Group has skilled firewall architects, administrators and security analysts that can assist any client with improving outbound Internet access policy and all firewall policies in general. Gotham Technology Group also has extensive experience in designing network security segmentation and isolation solutions. Contact your Gotham Account Executive for assistance.