Firewalls
Choose your firewall
There are mainly 3 kinds of firewalls: stateless, stateful and next-generation.
The stateless and stateful firewalls both inspect the packet headers before taking a decision, so they only look at IP and port, source, and destination. In addition, the stateful firewall stores information about active connections. When a connection is open, the firewall tracks and updates its internal state record as new packets are inspected. That gives it the possibility to detect anomalies. For example, a DNS response with no corresponding request.
So, we always recommend a stateful firewall instead of a stateless.
A Next-Generation Firewall (NGFW), however, can inspect the payload of most of packets. The processing capacities and therefore price are of course higher. But it is the current best firewall technology on the market.
System
As a rule of thumb, we want to reduce the attack surface of our systems as much as possible, and everything that remains accessible should be controlled tightly.
Our first focus will be the configuration and maintenance of the firewall itself. As such, we should insist on using nominative accounts, ideally authenticated via a directory service thanks to the LDAP protocol, with Multi-Factor Authentication and a valid certificate for proper security.
Read our paper about Multi-Factor Authentication: https://www.cert.be/en/paper/better-protect-accounts-multi-factor-authentication.
The service account used for querying the active directory should have the least privileges possible.
All nominative accounts should respect the principle of the least privileges. For example, an analyst would only have read access whereas an administrator could have read and write. Ideally, this would be set up with role groups in the directory service to avoid having disparate rights configuration. The local administrator credentials should be secured in a vault and never used unless no other choice is possible.
The list of accounts that have access to the firewall must be updated depending on hiring and departures, as well as when employees' functions change. This list must be reviewed at least on a yearly basis.
In terms of network configuration, we should absolutely dedicate a physical interface of the firewall for administration access in the administration VLAN. We should take care of deactivating network interfaces that are not used, always in the spirit of diminishing the attack surface.
It is important as well that the firewall possesses statics routes for every internal networks not directly connected to the firewall, to avoid the use of DNS and possible spoofing attacks.
Filtering policy
When configuring your filtering policy, we recommend using explicit rules. This means writing down everything you want to do, in a logical order, without assuming the application of implicit rules perhaps built into the firewall. In addition, it makes it easier to understand and maintain for you and future administrators. It is also easier to refine specific parameters for a rule, for example, choose to not log a well-known noisy traffic.
Apply also the principle of least privileges: open only the ports necessary for the smooth running of the business and the workers, and no more. Do not refuse to open every port either, but rather follow the principle of the "good father of the family".
Everything that is not explicitly authorized by the filtering policy should be also explicitly blocked. That’s why your configuration should absolutely end with a final blocking and logging rule.
To take a closer look at the logical order of the rules, which makes them more efficient, easier to read and maintain, we'll divide them into three types:
- The firewall protection:
- Allow and log flows towards the firewall (typically for administration), and flows emitted by the firewall (typically for updates).
- Block every network flow with the firewall as a destination. This rule should obviously be logging, and we should make sure that every interface of the firewall is covered by it.
- The business rules:
- Allow all business network flows as specifically as possible and should be logged.
- The noise rules:
- If needed, disable logging of well-known noise.
- The final block
- Block and log everything that is not permitted before. In some configurations, this block could also be placed at the beginning. That will block everything except what will be accepted after, however, in that case, it will log every traffic. But the idea is the same.
For example, here is a succinct view of what it would look like:
Source | Destination | Destination service | Action |
Allowed flows to the firewall |
[ADMIN_NET] | admin_interface | HTTPS | Allow + log |
[DISTANT_OFFICE] | external_interface | IPSEC | Allow + log |
Allowed flows from the firewall |
internal_interface | [UPDATE_SERVERS] | HTTPS | Allow + log |
external_interface | [DISTANT_OFFICE] | IPSEC | Allow + log |
Firewall protection |
any | [ALL_INTERFACES] | any | Block + log |
Allowed business traffic |
proxy | internet | HTTPS | Allow + log |
[USERS_NET] | [ADDS_SERVERS] | AD | Allow + log |
[MAIL_SERVERS] | internet | SMTP | Allow + log |
Noise rules |
[USERS_NET] | users_net_broadcast | SMB_BROADCASTS | Block |
Final block |
any | any | any | Block + log |
Forward Proxies
We want to keep control of outgoing internet connections to detect Command & Control (C2) traffic or covert channels and block access to malware or malicious websites. A proxy serves this purpose.
Position and encryption
The proxy should have enough capabilities to decrypt and analyse traffic. For this purpose, the proxy server acts as a gateway between the user and the destination server, handling all requests and responses on behalf of the user. This position gives the proxy the capability to read the content of every connection and apply the desired filtering.
It must also ensure a secure connection between itself and the other actors involved. It ideally uses TLS 1.3 while taking care to never authorize to downgrade the encryption methods. That means we want to use explicit proxies instead of “bump-in-the-wire” (or transparent) proxies, which no longer work effectively with encrypted traffic.
Moreover, the proxy should have all modern protocol analysis capabilities: HTTPv3, QUIC, DoT, DoH, DoQ, media streaming, etc.
We want to be able to capture network telemetry to identify anomalies (very valuable for exfiltration detection) as well as network captures (PCAP) for future threat hunting. The logging of HTTP header is also interesting to identify data leakage. This is not the scope of this paper, but if you want more information or implementation methods, you can refer to the following article: https://cqr.company/web-vulnerabilities/information-leakage-via-http-headers/.
User authentication
This determines how user devices are validated when accessing the Internet. Proxy Authentication must be enabled to be able to create new policies for users or groups.
Two methods can be used to authenticate a user, via their device’s IP address or via username and password. The second option is obviously the best, but it will not be possible for each component of your network, for example, servers. We will then create a list of authorized source hosts and destinations based on technical needs (update servers). Indeed, server access to the internet is the easiest to abuse for data exfiltration for attackers. Any access that is not authenticated or allow-listed should be blocked.
Thanks to user authentication, the proxy should be able to detect local or domain administrators, any privileged accounts, or service accounts and block their access to the internet.
Hosts configuration
With an explicit proxy we will typically use a Proxy Auto-Configuration (PAC) file or Web Proxy Auto-Discovery (WPAD) that describes to the client host how it should access resources depending on its URL, hostname, or IP. That file should be stored in a manner that is easily and quickly accessible to the users but not from the outside, and only the appropriate privileged users should be able to modify it.
It is possible thanks to that file to configure certain connections bypassing the proxy (DIRECT) but the risks this entails need to be carefully considered.
Proxy configuration
In terms of policy, the proxy should be configured to:
- Restrict executables, libraries, scripts, installers, or other applications to a pre-approved list only.
- Restrict download capabilities of non-approved file types.
- Block active or un-scannable content like macro-enabled or encrypted files.
- Take advantage of website categorization, usually provided by the vendor, to allow only access to websites depending on the needs of the user’s role. Considering malware sites have a high turnover, it would be wise to block new websites or uncategorized websites.
- Detect and block malware via heuristics, reputation, and signature.
Network Access Control (NAC)
If we want to reduce the risks of a rogue device being physically connected to the network, a Network Access Control (NAC) solution is a good mitigation. The NAC solution will permit to verify the authorization and access levels for every device or user before connecting to the network. The connecting device or user is at first put in a separate VLAN, and if authentication and authorization are validated, is then connected to the network.
The implementation of such solutions is outside of the scope of this paper, but here are some basic recommendations:
- Since MAC authentication can easily be bypassed with MAC spoofing, we would want to use 802.1x authentication as a priority.
- Certain devices like printers don’t usually support the 802.1x protocol, they must be placed in a different network.
- As an attacker could place a hub and use the authentication of a legitimate device to intrude in the network, it is preferable to reduce the timing before devices must re-authenticate.
- All unused network ports should be disabled.
- Exposing information like IP addresses or MAC addresses can ease the actions of an attacker and therefore should be tightly controlled.
- Employees should be taught to ask questions and inform appropriate people if they see new or suspect devices plugged somewhere.
- There are a few things that can be monitored on the NAC solution and that can be indicative of an attack:
- Uncommon link up and downs
- Network speed and duplex changes
- Changes in frame size
- Changes in TTLs
A NAC can not only authenticate the user but also validate the security configuration of the client host to see if it satisfies the security policies. For example, having an up-to-date antivirus, etc.
Virtual Private Networks (VPN)
VPNs are used to interconnect separated hosts or networks over the internet in a secure and confidential way.
There are multiple types of VPN, we will focus here on the two most important which are the IPsec and the SSL VPN solutions. The main difference is the protocol level: IPSec is embedded in TCP/IP while SSL/TLS is a layer on top of TCP/IP.
Whatever VPN technology is chosen, it is important to follow the usual security considerations depending on what is available: proper authentication, proper access control, and proper logging. These considerations are out of the scope of this paper and will be covered in other publications.
IPsec
IPsec VPNs are composed of three main protocols: Internet Key Exchange (IKE), Authentication Header (AH), and Encapsulating Security Payload (ESP).
- IKE is first used for the authentication of both parts with a key exchange and thus creates what is called a ‘security association’ between two devices. IKE supports both Pre-Shared Keys (PSK) and certificate authentication. For better security, we should use certificates signed by a trusted Certificate Authority.
- AH allows the two ends of the communication to ensure that packets haven’t been tampered with in transit. At the source, the computation result, called Integrity Check Value (ICV), is put into a special header. The destination does the same computation and compares its result with ICV value to authenticate the integrity of the packet. AH do not provide encryption.
- ESP is responsible for the encryption. Thanks to the previously exchanged symmetric keys, it encrypts the content of the message.
If you are using a VPN concentrator, we recommend enabling Dead Peer Detection (DPD). That is a mechanism that allows the two peers of an IPsec tunnel to detect if the other peer is not reachable anymore and delete the IKE security association.
To go further, we can have an up-to-date state-of-the-art reference for everything related to the encryption mechanisms in the NIST Special Publication 800-77.
SSL VPN
SSL VPNs work very much in the same way that do other SSL/TLS technologies, such as HTTPS. Concretely, that means the tunnel is established through four steps (the famous four-way handshake), which are the initial handshake, the server authentication, the encryption negotiation then the key exchange. Data is then forwarded in the tunnel that is created for the endpoints or networks for which it has been configured, with the encryption mechanisms and keys that have been negotiated.
Considering this is very standard, it makes the implementation and maintenance of such tunnels quite easy.
However, don't forget to choose a reasonably sized certificate (RSA 2048-bits for a Let's Encrypt certificate is more than sufficient). This wonderful tool from the Mozilla Foundation should help you a lot: https://ssl-config.mozilla.org/
It avoids making mistakes when you need an SSL configuration for a service you don't know much about.
Here is the usual minimal recommendation for the usage of encryption algorithms in SSL VPN as of the time of publication:
Setting | Recommendation |
Cipher | AES-GCM, AES-CTR, AES-CBC, AES-CCM (128, 192, 256-bit keys) |
Handshake | RSA, DSA, ECDSA with 128-bit security strength : minimum RSA or DSA with 3072-bit key or ECDSA with 256-bit key |
Hash authentication | HMAC-SHA256, HMAC-SHA384, HMAC-SHA512 |
Perfect Forward Secrecy (PFS) | DH14 to DH21 |
Source: ANSSI - Agence Nationale de la Sécurité des Systèmes d’Information. (2020, January 1). Guide des mécanismes cryptographiques. ANSSI. https://www.ssi.gouv.fr/uploads/2021/03/anssi-guide-mecanismes_crypto-2.04.pdf
Traffic monitoring
IDS/IPS
IDS (Intrusion Detection Solution) and IPS (Intrusion Protection Solution) are solutions that can detect and eventually block threats in the network. You will find more detail in one of our future paper.
WAF
WAFs (Web Application Firewalls) is a device placed in front of a web server that will protect the web services against attacks on an applicative level. This technology will be discussed in another paper.