Research carried out by my company in both public and private sectors has revealed that nearly a third of companies leave their networks open to attack by installing firewall VPNs in their default configuration, or by failing to follow best practice security principles, thus allowing the VPN to be located and profiled.
It is important to keep firewalls and remote connections hidden to prevent access by unauthorized users. Enterprises should also prevent access to sequential IP address ranges that could be predicted.
The following nine rules should help tighten the security of your firewall:
1. Test the firewall, then review and remove any unnecessary services
Turn off functions that are not being used. For example, offering remote client connections when the organization had no remote users.
2. Restrict your firewall services to authorized IP addresses
Restricting services offered to authorized address ranges only effectively hides their presence to the internet, while enabling the service to be used by intended users. For example, restrict visibility of site-to-site VPN services purely to IP addresses of firewalls within the VPN group.
3. Apply the latest relevant patches and workarounds
Attackers will be able to profile the firewall, VPN location and type (and occasionally version) based on the default ports in use. It is therefore a priority to maintain the latest stable patches for the specific version of firewall software in use, be aware of any threats affecting that version, and use countermeasures against any newly discovered attacks.
4. Enforce logging and alerting to detect attacks
Log and alert on failed port scans or attempted connections to VPN and management ports. This will help detect potential attacks and enable preventative action. Such log information can also provide input to a risk assessment.
5. Organize a spring clean of your firewall policy
If default ports are detected, organize a spring clean of the firewall policy configuration to ensure there are no hidden errors resulting from a default install, that could be used to escalate an attack if one of the perimeter systems is compromised, or if a lower level risk in the firewall itself is exploited. Tight restrictions can limit the extent of an attack, in the event that one of the remote accounts is compromised.
6. Set a limit on the number of failed authentication attempts
Lock out an account and raise an alert after an administrator-defined number of failed authentication attempts. Some firewall password databases do not have brute-force password cracking prevention functions included, however. In such cases, consider handing off authentication to a system capable of doing it.
7. Restrict access to what is needed – server, services, time of day
It's essential that both remote sites and workers should be correctly assigned to user groups. Access should only be enabled per user group based upon the servers they need to access, the services required, and the time and days that work is expected to occur.
8. Enforce appropriate and strong authentication
Apply the most appropriate form of strong authentication based upon the volume of remote users and value of data and systems being accessed.
Two-factor authentication schemes requiring a physical token and user PIN are recommended.
If using username and password authentication, enforce a strong password scheme, requiring a minimum of eight characters, using a combination of digits, and upper and lower case letters.
9. Use account management for remote VPN workers
For remote VPN workers, apply standard account management practices. Monitor use and abuse, and remove the accounts of employees who have left the company. Finally, employ password ageing and log-on ageing.
Roy Hills is technical director of NTA Monitor