I’ve seen a few posts on Reddit and Facebook lately with ‘unpopular opinions’ being shared. The usual suspects always turn up, pineapple on pizza (WRONG!) and various things that some believe should be stored in a fridge while others says this should never happen (eggs, ketchup, chocolate etc). One of mine would be that it makes no difference whether milk is put in tea or coffee first or last!
But in the IT world we also tend to do things because that’s the way it’s always been done or taught. Occasionally products come to market that disrupt that thought process with historical examples being e-commerce, the Internet, remote working and future examples perhaps being machine learning, block chain and drones. Sometimes just a change in the landscape can mix things up, for example there’s an increased awareness and business buy-in for cyber security and various strategies have been created to provide a robust template for IT folk to follow with “defence in depth” being the focus of this post.
Defence in Depth
As with most IT security principles like the ‘DMZ’ (Demilitarised Zone), the military provides a good benchmark to look upon when assessing your security posture. Defence in depth draws upon the idea that creates various lines of differing strength designed to slow down or stop a determined attacker. It also ensures defensive positions are not focused in one location which, if defeated, would result in successful penetration of the lines by the attacker.
In the network security world, it’s thought by some that using two firewalls from different vendors follows the defence in depth principles and provides mitigation against mis-configuration or unpatched vulnerabilities in one being present in the other. By doubling down on the firewalls security is thought to be increased substantially however my unpopular opinion is that this is an incorrect application of defence in depth for the vast majority of cases.
In my terrible picture below, each ring represents a security concept or technology used to protect the inner organisation devices and data. The number of rings isn’t at all exhaustive and is just to visualise the concept, but essentially on the outer ring is your operational security concepts, ensuring users connect to VPNs with MFA when coming into the organisation, using web application firewalls to protect published services etc. Next circle is the firewall performing the ‘gatekeeper’ action allowing things in and out. If the bad guys have got this far, the additional lines of defence continue to thwart or slow their advance very similar to the military tactic of “hedgehog defence“. This slightly cutely named tactic is designed to allow time for the defender to mount a counterattack against the rear line of the attacker to cut off the front most force and thwart the attack. In the firewall sense this could be used to allow automatic measures to be taken (blacklisting IPs and blackhole traffic) or prompting the NOC / SOC operators to respond to alerting.
My belief is that having two different firewall vendors has the obvious implications of licencing and hardware refresh costs for two different systems plus training to configure the two different platforms as well as the time to patch and correctly configure mirrored rules in both the ‘front’ and ‘back’ firewall. Imagine a user has installed some application that uses a non-permitted port outbound, this needs permitting on both the inner and outer firewalls. Or say the business has scaled up it’s requirements and needs either larger firewalls or firewalls in high availability pairs – the cost is doubled because both the inside and outside firewalls need to be considered.
And how often are audits carried out to see if the user still requires the software and subsequently the ports to be left open? The ‘two firewalls is better than one’ strategy fails when configurations are not kept up to date or are seen as too time consuming to manage correctly. I believe the cost and administrative effort should be focused elsewhere to ensure the full defence in depth strategy is considered everywhere, not just at the front lines.
In the equally awful diagram below, the lines behind the firewall are very weak and result in much easier infiltration by the bad guys.
It’s not safe to assume the application of multiple firewalls across multiple vendors is enough to secure a network completely and I would instead of going down this path considering how well the defence in depth strategy is applied beyond the firewall once an attacker has gained entry through the application of other security measures, such as:
- Device hardening (including removing non-required services and ports from printers / switches and other devices)
- Segregation of devices through VLANs
- Patching OS and application vulnerabilities
- Use of up-to-date anti-virus on end points
- Changing default credentials
- Providing user access to resources on an as-needed basis