Firewalls are often thought of as being used to protect your network from bad people and things on the Internet. While this is technically true, we need to change the way we think about where a firewall should be deployed and how. With the proliferation and evolution of threats like Malware and Advanced Persistent Threats (APT), the Internet is no longer the only source of malicious issues. Think about this for a second - when you deploy a firewall, there are two basic security zones that are preconfigured on the box: there’s an Internet or untrusted zone / interface, and there’s an Inside / Internal or trusted interface. Therein lies the fundamental issue with network security.
Just because your machine is physically connected to the network and behind the corporate firewall doesn’t mean you should be trusted. Attackers put malicious code on websites, distribute via email, and find other various ways to get their application onto your machine. Corporations spend a lot of time and money making sure their Internet Edge is secure so that the attackers can’t get through their corporate firewall, but they focus far less on making sure that user devices can’t access systems that aren’t necessary to perform their job function. If an attacker were able to install Malware on the Financial Controller’s PC, what servers and systems does that PC have access to? On what ports? 99% of the time, those answers are very simple. That particular PC usually has access to ALL of the Corporate Financial systems and will usually have unfettered access to the Internet as well.
If we’re thinking about this from a logical standpoint, there is absolutely no reason to trust devices inside the firewall any more than we trust unknown machines on the Internet. After all, our Corporate PCs connect to those unknown machines on the internet every day. Sure, we use the latest anti-virus, make sure to turn on the Windows firewall when we’re on a public network, and maybe even use a host inspecting Network Access Control (NAC) or Unified Access Control (UAC) solution in the office to run a posture assessment on mobile devices to make sure they are clean before we allow them access to our Corporate Network. But those systems have flaws. One of the biggest flaws is that they are all signature-based in nature.
Securing your datacenter is as much about having the right systems in the right place as it is about visibility into the communications between those systems. Knowing what calls your web server is making to your SQL database server can help identify known and expected traffic patterns. Ideally, every device would be segmented from every other device on your network with all of that traffic running through a datacenter firewall to determine which traffic to allow or drop. End user devices, especially mobile ones, should be treated the same as Internet-based hosts. They should not be allowed to access ANYTHING on your network without sending that traffic through a datacenter firewall first.
Ronald Reagan used the phrase “Doveryai, no proveryai” frequently during his term in office. This old Russion proverb translates in English to, “Trust, but verify.” In today’s always-on, instant access, networking ecosystem, we need to adopt a different phrase:
“Proverai to doveryai“ or “Verify to trust.”