There’s no denying that IT managers have had to work quickly in recent weeks to get teams set up for remote working. The current coronavirus crisis, which has forced the country into unprecedented lockdown conditions, has meant IT managers have had to get all but essential workers set up for working from home, with sometimes hundreds of employees now working off-site. This has posed something of a security nightmare for IT managers.
It hasn’t just been a case of distributing a large number of company laptops. In most cases, the hardware simply hasn’t been available anyway, and companies now find themselves with tens or hundreds of personal devices accessing sensitive information from disparate locations. The integrity of company firewalls and security processes have rarely been so important.
So what should you be paying particular attention to?
Your firewall under pressure
No matter how set up for large-scale remote working your company was pre-coronavirus, the chances are you’ll be relying on at least some of your workforce being able to use their own devices during the lockdown. But all these additional internal remote users present an increased threat for your firewall.
All those new devices, which, as an IT manager, you’ve likely never laid eyes (let alone hands) on, accessing your network from behind the firewall, all with their own applications, storage devices and security measures. It probably makes you shudder just to think about it. But as long your firewall is configured properly, your network should remain secure.
The best way of protecting your network is to ensure there is no direct routing between external networks (especially the internet) and your internal one. Make sure you have a system in place for monitoring all inbound and outbound network connection attempts, and have a process in place for reporting and blocking network intrusion.
Best practice when it comes to setting up access is to start from a position of ‘deny everything’. That’s a tricky position to take when you’ve had to rush to get entire teams working from home without an interruption to business, and some managers may have opted to ‘allow all’ access with the intention of locking it down at a later date, when they know exactly what needs to be allowed through. This is folly. For starters, this later lock down invariably lingers on the to-do list, often never being implemented. And secondly, it only takes one nefarious user to cause untold havoc. Slowing down and doing things properly in the first instance will pay dividends.
Your users are going to be accessing your servers while they are isolating at home, but that doesn’t mean they need to have unfettered access to every corner of it. Set some rules around which ports allow what sort of access to your servers. If you know inbound traffic is only required on two TCP (Transmission Control Protocol) ports, don’t create a rule that permits all inbound TCP to that server – create one that allows only the necessary ports.
To make things easier, you could create an object group in your firewall to include the IP addresses of all the devices your end users are connecting to your network through. Perhaps you’ll have a group for the accounts department, another for marketing, and another for the managers or team leaders. You can assign to these groups the necessary security requirements (for example, all your web or email servers), and can create a single rule permitting all the specific ports and protocols to the entire group of servers at once.
Your users are going to be relying on their email applications more than ever – on top of all the client communications they would generally make, they are going to be pinging emails back and forth to keep in touch with their colleagues, teammates and managers. It’s vital, therefore, to ensure your email servers are set up to work well within your firewall.
If your company uses Exchange, it might be that you have your RPC (Remote procedure call) proxy server sat in your perimeter network, with the exchange and other active directory servers in the internal part of your network. This has the potential to cause you some issues, as it means there are more ports unnecessarily opened on your internal firewall. Rethinking your set-up, and implementing your RPC over an HTTP forward proxy (such as an ISA server) will mean there is a narrower range for these dynamically assigned ports to be defined, ensuring the most secure configuration.
Segregation of duties
One of the most effective controls against internal threats to the firewall is segregation of duties. This essentially means no one person within an organisation is responsible for the completion of critical work functions. Having a buddy system for getting these functions completed and signed off will minimise the chances of one person (or their device) being targeted in a way that can bring critical functions to a halt. This segregation of duties can be supported by the use of architectural security controls, most notably your internal firewall.
It’s important to note that segregation of duties can be infuriating for the end user. If you do it right, there is little chance of a dissatisfied user being able to circumnavigate these protocols, but you should nevertheless try and make these processes as painless as possible.
Shut down unused services
There are many ways to configure a good network these days, and your company will have its own way of doing things. But there are a few good habits you can get into that will provide the best protection for your internal firewall.
Your remote workers will undoubtedly now be connecting to your corporate network through a secure VPN. But in order to additionally reduce the risk in your environment, you should consider application and service hardening. Get familiar with the ports that are required for various services, and then uninstall or disable those that are unused. This is going to reduce unnecessary exposure.
Check your outbound traffic
In many firewalls, the default policy for outbound traffic is to allow any source address that is syntactically correct. This is overly permissive for any network, whatever its size, and can cause all manner of security headaches for IT managers.
As a bare minimum, you should be configuring policies that do the following:
- Block spoof IP addresses
- Only allow traffic from address space you actually use
- Block outbound traffic from VLAN network segments that have no business establishing client connections to internet servers
- Understand the implications of using layer-2 firewalls in internet firewall deployments
- Block outbound traffic with DROP-listed destinations (see Spamhaus, for example)
Communicate the risks
One of the easiest, most important things you can do to ensure the security of your network is to educate all workers about the various risks associated with remote access. Keep them informed about the latest phishing and malware scams that are doing the rounds. Make sure they know they should only be logging on to trusted sites, especially if they are going to be using the family laptop to access your company network. And if you don’t already have one, you will need to draw up a remote working policy and share this with your teams (along with any necessary training) so that they understand what you are asking of them, and can see the importance of complying.
We’ll protect you
M247 offers a range of managed firewall solutions for businesses of all sizes. All our firewalls, whether hosted, virtual, dedicated or on-site, are based on tried-and-tested hardware and come preconfigured and fully managed. Each of our firewalls offers you the security of complete Unified Threat Management, and includes virus scanning, anti-spam, web filtering and intrusion prevention as standard. We can also support with further security measures such as Disaster Recovery (DRaaS) to provide a full circle of protective solutions, get in touch today to discuss your needs, and we’ll tailor a solution to keep you safe and secure.