Understanding the network boundary

Understanding your organisation’s network boundary is essential to being vigilant and maintaining a high level of security.  Internet at home or in a single-site business can be straight forward. Still, as companies grow in size and complexity, it is easy to lose control by not understanding the boundary infrastructure, how it is maintained, and details of those responsible for its maintenance. This blog is not a comprehensive guide to boundary security but covers essential aspects that will provide an improved level of protection and reduced exposure to risk if implemented. In cases of outsourced firewall management, this also acts as a check against 3rd party suppliers.

Firewall Inventory

Maintaining an inventory of firewalls is an essential starting point for understanding the boundary and how it interacts with the outside world.

  • Do you have an inventory of all firewalls?
  • Does the inventory include the physical locations of each firewall?
  • Who are the manufacturers, and what are the models of each firewall?
  • What are the internal and external network addresses of each firewall?
  • Who is responsible for maintaining the accuracy of the inventory?

If you don’t know where all your firewalls are, then it follows that you will not be able to guarantee that strong passwords are applied, that firmware is up to date, or that firewall rules accurately reflect the requirements of the business. The inventory should also include other information covered in subsequent sections below.

Firewall Passwords

Strong passwords and secure storage of passwords are essential to controlling access to firewalls and preventing unauthorised configuration changes.

  • Have all manufacturer default passwords been replaced with strong passwords?
  • Are you able to verify that strong passwords apply to all firewalls in the inventory?
  • How frequently are firewall passwords changed?
  • What password vault do you have in place to store firewall passwords?
  • Do all persons with knowledge of firewall passwords or access to the password vault have a legitimate business requirement to do so?

Firmware

Firmware is the software installed directly in the hardware. Hardware manufacturers often release new versions of the firmware during the usable life of the equipment.

  • What is the latest version of firmware for each firewall’s make and model?
  • What is the current version of firmware for each of the firewalls in the inventory?
  • Are you able to verify that each of the firewalls in your business has the latest firmware version?
  • When was firmware last updated on each of the firewalls in the inventory?
  • Who is responsible for checking firmware releases and performing updates?

New versions of firmware are often released specifically to mitigate security risks. Not having processes to check and upgrade firmware to the latest version will allow exploitation of vulnerabilities.

Firewall Rules

Firewall rules need documentation for each of the firewalls in the inventory. Rule documentation should include:

  • What is the business purpose of the rule?
  • Does the rule control inbound or outbound traffic?
  • What IP addresses and Network Ports are ‘allowed’ or ‘denied’?
  • Who approved and who created the firewall rule?

Firewall rules change over time as business requirements change, not to mention unauthorised changes to firewall rules. Documentation and ongoing processes will ensure that the rules configured reflect business requirements.

  • When was each firewall in the inventory last checked to ensure that all firewall rules fulfil a genuine business purpose?
  • How frequently are firewall rules checked?
  • Who is responsible for checking firewall rules?
  • Are firewall rules disabled or deleted when they no longer have a legitimate business purpose?

Firewall Management

Having effective processes in place to manage firewall configuration will reduce the risk of unauthorised changes.

  • Can the firewalls in the inventory be administered from outside the network?
  • Which Network Port is used to administer the firewalls from outside the network?
  • Is this different from the manufacturer’s default Network Port?
  • Are time restrictions applied to control the administration of firewall changes from outside the network?
  • When accessing the firewall to manage the configuration, is the connection made using HTTP or HTTPS?
  • Does your business use ‘change management’ process to request, approve, and implement firewall configuration changes?
  • Who is responsible for approving firewall configuration changes?

They called you, remember!

It is a common theme that when you receive a call from your bank or utility providers, for example, telling you that for your data protection they must take you through security so they can identify you. Stop right there! They called you! It is your responsibility to identify them.

Most of these calls come from unknown or blocked numbers. Where you can identify the number, it is often from a pool of numbers which you would most likely not recognise. If they call you, how are you expected to identify them if they refuse to speak with you until you have confirmed your name and given them your date of birth, along with whatever information they require?

  • When someone calls you, you often have no way to verify their identity
  • Fraudsters can use the information provided for identity confirmation to impersonate you

Organisations are good at telling their customers they will never ask for passwords, but they are comfortable asking for all the information needed to have passwords reset. As long as organisations are calling members of the public in this way, fraudsters will be able to mimic that behaviour to steal enough information to act as if they are you.