|Are firewalls and patching enough?|
|Written by Michael Shinn|
|Friday, 02 March 2012 00:00|
We got an interesting question from a potential customer recently that I'd like to answer here. Our customer asked:
"I recently purchased a new dedicated server. I was told the server is managed so not to worry about security, and they will patch the system and also provide a complementary firewall. Is this enough security for my server? Thank you in advance, I just want to make sure I'm doing the right things to protect my server and data."
The short answer is no.
Based on the information you have provided, it doesnt sounds like thats enough to keep your server secure. Its possible the provider is doing more to protect you, so lets go over what else you should do at a minimum to protect your server, so you can ask your provider what else they do. If all they provide is patching and firewalls you will find that inadequare for todays threats. Read on for more about what you should ask and look for in a good server security solution.So first, lets talk about what a system needs to be secure in this dynamic world. Any approach to securing a system these days needs to be able to accomplish these things:
1) Prevent attacks
2) Detect attacks and compromises
3) Respond to an attack or compromise
4) Recover from a successful compromise
5) Manage Risk
6) Provide defense in depth
These are the big things in cyber security. Lets start with prevention.
The best case scenario in any attack is to be able to prevent it from succeeding. As marvelous as firewalls are they, they are only so good at certain things, and not all things. And patching, which is a powerful way of fixing known vulnerabilities is also not going to protect you from compromises (although its a good thing to do, you should patch, that will help to keep the system from being compromised).
So lets start with firewalls. Chiefly, they are designed to prevent people from connecting to your server. This may sound like enough, but keep in mind that you want to let people connect to your server. And firewalls aren't intelligent enough to know if someone is doing something bad. They prevent connections, not attacks per se. Attacks are certainly prevented if someone can not connect to your server, but what if they can connect? Remember the firewall prevents connections, so if someone can connect a traditional firewalls job is largely done.
Think of firewalls as more like gates, if they are open people can come in. A gate doesnt have any intelligence, it can't know the person walking in is bad and then close itself to prevent that person from waking in. Its either open or closed. So a network firewall isn't going to be much help against an an attack through a connection that it allows. With that said, some firewalls may have intelligence, more on that in a moment because you want intelligence too.
So lets look at an example. Lets say you run a website, therefore you need to let people connect to it. So, you have to configure your firewall to let people connect to the website. Again, using the gate analogy, the gate is now wide open. So an attacker can access your web server just like a non-malicious person can.
And web applications are complex things, like all software they too have their share of security holes. To make matters worse (or better if you are an attacker), its pretty easy to write a web application these days. So more people are doing it, and for better or worse that means they will have less technical knowledge about writing applications and even less security knowledge (in many cases, they will have no security knowledge). And to make things really bad, web application patching is handled by a totally different system than operating system patches. So, wheras patching is good, its not going to protect you as well as you may think.
Although your Operating System and its applications may be patched and up to date, you web applications proably won't be! We applications are not managed by the OSes package, or software, management system. So unless your provider is patching your web applications, they aren't getting patched. In some cases, you cant even easily patch your web applications like you can your OS. To patch the web application you may have to replace files, or you may even have to edit them yourself to fix a vulnerability. And not all managed services are the same, some of them won't patch your web applications, just your operating system.
Finally, with patches, they only resolve known problems. So if your web application has a vulnerability the web application developer doesn't know about, then there won't be a patch for it and you'll still be vulnerable to attack. And the bad guys have access to the same operating systems, applications and web applications everyone else does, and they are looking for vulnerabilities. Your software vendors, regretably, may not be as diligent at finding vulnerabilities in their software. The bad guys are very determined to find problems and exploit them.
So even with up to date patches for your web applications, they may still and very likely are still vulnerable to compromise. And if you have web applications written by people that know very little to nothing about security, so they may not even know they need to patch their application!
So given that our firewall won't save us, and that patching either may not be occurring for the web applications or is inadequate because the application is still vulnerable, you'll want something to really protect your system. So lets talk about preventative methods that can help.
a) Hardening - this is making the system less likely to be compromised. These are things like configuring applications to their most secure state, disabling things that might make the system insecure, and generally "hardening" the system to make it more resistent to compromise
b) Immunization - this is similar to a, but this modifying the system so that even if a vulnerability exists, that it can't be used to compromise the system. One example is kernel based security, like stack hardening. These immunizations make it either impossible, or less likely that a vulnerability can be used to compromise the system. In essence, the "method" thats used to compromise the system either doesn't exist anymore, or its so difficult to exploit that an attacker is ulikely to succeed.
c) Intelligently detect attacks or abnormal behavior, and block it automatically.
Fortunately, such solutions exist. Automated hardening tools with satisfy a, hardened kernels will satisfy b, and intrusion prevention systems will satisfy c.
For web attacks, to detect and automatically block though attacks you will want to use a Web Application Firewall or WAF for short. And once you have a WAF, you will want to make sure its well configured, maintained, administered or regularly updated by security experts.
Therefore, you should ask your hosting company if they provide these three things, and also that they provide a well managed and regularly updated WAF. If they don't, you'll need to get a these capabilities, including the WAF, and plan for how you are going to maintain these, or find a product that will do this for you. You can also use the WAF to "virtually" patch your web application. You can read more about this in a previous blog post here.
Many companies say they will provide your with these features, but in reality unless they have actual security experts on staff its unlikely they do it themselves and keep these up to date, so ask how they manage these security features, including any WAF their provide. If they have a product that does this, we advise you to ask more about the product, its capabilities and most importantly how its configured and regularly updated to make sure its still effective. Security products that just half hearted managed aren't going to protect you.
So, you will want to have intrusion detection capabilities, both network based (sometimes called NIDS or NIPS), and on the system itself which is often called Host Based or Kernel Based Intrusion Detection (HIDS and KIDS respectively). And you will also want timely vulnerable assessments of the system, more on that topic in a moment.
Keep in mind that intrusion detection comes in many forms. The most popular and common is called Network based intrusion (NIDS). This is a technology that was invented in the 1990s and works by "sniffing" traffic on the network looking for signs of attack. And as important and powerful as NIDS is, its largely ineffective for SSL based web and other encrypted protocols. Don't get me wrong, its a useful tool, but its also a limited too in the same sense that a hammer is good for hitting nails, but its not very good at tightening a bolt. The right tool for the right job. A NIDS is also not going to be able to see what people are doing on your system either, which is where most of the mischief occurs. So you will need for than just a NIDS.
The parable with detection is this: If you can't see the attack, you can't defend against it either. So if you only have a network based intrusion service, thats the least desirable solution. Also, keep in mind that some vendors and providers advertise "firewalls with IDS". These are usually just network based firewalls with a network based IDS. In short, a firewall and a NIDS. A good IDS should be able to view the traffic after its been decrypted, which is difficult if not impossible for a NIDS and/or firewall do to.
A good detection solution should also be able to stop the attack in real time and then alert you about it. A solution that tells you have been hacked, and does nothing about it isnt much of a solution. So any IDS should also be able to prevent the attack before it succeeds.
The next element you should have are regular vulnerability scans, combined with event correlation of vulnerabilities. This would help you to know if an attack can succeed given your current security controls, and if a vulnerability really exposes you and is worth mitigating. Event correlation with vulnerability data will tell you two things:
1) That an event, such as attack, ocurred
2) and that it succeeded or did not or could not succeed
This will help you to know if you have had a compromise, which is crucial. Modern attack tools can do a great job of covering up a compromise, so that you won't otherwise be able to know if you system was compromised. So having good attack detection tools, that correlate event information and vulnerability information will help you to prioritize which attacks are really worrisome.
Which brings me to the discussion of how a security provider will respond to attacks. PAtching and firewalls will definitely not help you here. You should ask your provider if they provide 24/7 coverage, do they have adequately qualified and trained security staff to not only detect but to respond to security incidents. A very important question to ask is what do they do if they detect an attack, will they block those attacks? And if so, how quickly?
For example, some companies will provide an IDS, but consider it your responsibility to monitor reports and tell the company what actions, if any, they should take after an intrusion has been detected. These means that nothing will be done about an attack until you look into, and at that point its already too late. You dont want a service that requires you do all the work and will leave you open to attacks for hours or even days.
A service provider may also alert you to attacks in real time, but not block them and will wait for you to tell them what to do. This "reactionary" approach to security is fairly common. Its also understandable why some companies do this, its may be cheaper but its really about the path of least resistence. You do not want them to block something they shouldnt, so the scorched earth method is to not block anything at all and to just alert you. Its certaily less error prone, but its also nothing more than detection of a crime after its occurred. If they lack the expertise to confidentally block real attacks, then the service they are providing isn't work your money. So know what you are getting and not getting.
One last thought on detection only approaches to security, as opposed to prevention. Detection only can be a huge disappointment when a crime occurs. For starters, detection only means what it says: no prevention. So, by definition the crime will likely succeed. If your IDS just detects an attack, and won't prevent it, walk away. Thats not much of a service.
Second, if you can't prevent an attack, whatever you wanted to protect, will be stolen, modified, destroyed, etc. You may be able to recover from that, but you also may not. For example, if an attacker steals your customers data, that may spell financial ruin for your business in the form of lawsuits or if you are in a jurisdiction with data protection laws, possible criminal prosecution. At the very least its going to hurt your business with your existing customers, and possibly with future customers who may be wary of doing business with you.
And in all cases, its unlikely is that you will catch the attacker. So don't rely on promises that a provider will help you track down the bad guys, and that law enforcement will help deter criminals from breaking into your system. Its simply too easy to route an attack through someone elses compromised system, which will make it next to impossible to find the real source. And when you add in all the ways people can get on the Internet without using a connection thats tracable to them (wireless, cafes, etc.), it becomes very hard to imagine you would find your attacker. Add in the international nature of the Internet, and that cyber criminals may be other countries you may never be able to get the bad guys. So be realistic about what you get from detection only.Recovery
And last, but not least, you want to make sure a managed service includes regular, reliable and easily restortable backups. Much like responding to attacks, patching and firewalls aren't going to help you with this either.
Keep in mind that some intrusions may succeed. So you need a plan to respond to the worst case. A successful attack may require you to restore files or the system to a trusted, or undamaged/unvandalized state. In security, an often overlooked element is "recovery". If your service provider doesnt provide backups, or doesn't have some easy method for you to restore your backups and to let you know that they will be reliable when you need them, find a provider or solution that will do this for you.
If a managed provider is just patching the server and providing firewalls, then you would be missing much of that vital capability to prevent, detect and recover from attacks as explained above.
This is possibly the most important thing. You will want to carefully evaluate what you plan to with the system, what information the system processes and stores, what access the server provides and what the consequences of a compromise may be. You will also want to honestly ask who might want to compromise the system, and what is the system worth to them. These things will help to inform the actions you take to protect the system, and will help you to decide if you need to more to protect it. Security is not a set of products, or a state, its a process. A constant, ongoing, continous process of evaluating and managing risk. You need to be aware of what the attackers are capable of doing, and what you are capable of protecting against. If you can't do this yourself, and your provider can not do this, then you will want to find experts to do this for you.
Defense in Depth
And finally, security must be based on the concept of defense in depth. No one thing is going to be perfect or effective alone, so you shouldnt rely on one thing. So firewalls and patching are important, you should do these things. You shouldn't think these are not worth your time because they don't exclusively solve the problem. As I said before, Security is a process, not a product. It takes all of the things in this document at a minimum, but you may need more than just this