Tag Archives: Firewall

The most important questions to ask in a firewall rule assessment

25 June 2020

Regular firewall rule assessments are basic IT/OT security housekeeping procedures. Security staff challenges every rule after well-known industry best practice like ANY Computer or ANY Port rules, bi-directional rules, use of unsecure protocols like ftp, telnet, smb, not used rules, etc.

Nervennahrung for firewall assessment. Own work.

Picture 1: Nervennahrung for firewall rule assessments

Compliance to industry best practice can be achieved with a plain checklist. Thus the check can be automated to a far extent. The nerve-racking work starts afterwards, when each finding is discussed with the users.

But, in general, the security staff does not challenge the rule itself. Or it’s direction. Or the ports used.

These questions are asked after the rule has passed the best practice checks. No automation possible. They require in-depth knowledge of the services accessed through the firewall, and, they belong to the nerve-racking category. But it’s worth to ask these questions because

The best firewall rule is the one that not exists.

You must not care of such rules in the case of a security incident, no regular review required, no discussion with users. Entrepreneurs should be interested in cleaning up the rule base because it saves costs, and increases security.

More about this in the next post.

Picture credits

Picture 1: Vienna 2020. Own work

Windows malware Sarwent got an upgrade. Thou shalt not work with permanent administrative privileges!

23 May 2020

Catalin Cimpanu (1) reports in his post „Windows malware opens RDP ports on PCs for future remote access“ published on ZDNET that the Windows malware Sarwent got an upgrade: It is now capable of using the windows command line and PowerShell, adding users, and opening ports in the Windows firewall for RDP access from remote. Since the latter features require administrative privileges on the victims machine, it is very likely that the victims worked with permanent administrative privileges.

To mitigate the risk, the best approach is to revoke any administrative privileges from standard users. This will not reduce the likelihood of occurrence, but it will reduce the severity of impact of an infection with Sarwent. Furthermore, since the attacker is forced to download tools to fully compromise the victims computer, the likelihood of detectability is increased.

Revoking administrative privileges from standard users is a low-cost, high-impact means to enhance resiliency against cyber-attacks, thus should be part of each security strategy.

But it is hard to implement. Managers will face lots of discussions if users must give up beloved habits. It is very important to keep the number of exceptions as small as possible because every exception lowers the overall security level of the company.

Have a great weekend.

  1. Cimpanu C. Windows malware opens RDP ports on PCs for future remote access [Internet]. ZDNet. 2020 [zitiert 22. Mai 2020]. Verfügbar unter: https://www.zdnet.com/article/windows-malware-opens-rdp-ports-on-pcs-for-future-remote-access/

WannaCry, Rumsfeld and Production Firewalls

21 May 2017

Today, Firewalls are the preferred means to separate a production network from a company’s intranet. Firewall configuration is performed by the Rumsfeld Conundrum: Block everything you don’t know!

Rumsfeld Conundrum for firewall configuration

Rumsfeld Conundrum for firewall configuration

For production management and IT and OT operations, we need some communication between systems in the company intranet and the production network. These required (known) connections are defined in the firewall rule base. The firewall allows communication between these known systems, and blocks any other connection attempts.

As long as the SMB V1.0 protocol is not used for communication across the firewall, the Rumsfeld Conundrum works pretty well.

Unfortunately, the SMB protocol is frequently used to implement required connections between Windows-based computers in the company intranet and the production network, e.g. for the exchange of manufacturing orders. With this, production systems become vulnerable to WannaCry although a firewall is in place because the firewall does not block communication across required connections. In the worst case, if WannaCry spreads across required connections to systems in the production network, this may result in loss of production.

Immediate action is required. The firewall rule base is a good starting point to determine how big the problem is, and to identify the systems that must be immediately patched or otherwise secured, if patching is not possible due to technical or regulatory restrictions.

Firewalls are an indispensable part of a defense in depth concept, but plain packet filtering is no effective means against attacks like WannaCry.

Have a good week, and take care of you production networks.