Firewalls may be secure, but with hackers’ tactic evolving, our data and applications become vulnerable to cyberattacks. In 2022, the UK National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) identified the new malware, Cyclops Blink, which is attributed to Sandworm, an operation related to Russian’s GRU. Cyclops Blink targets firewalls and provides remote network access, which leaves data security to be compromised. In a data-driven world, it is imperative for organizations today to understand how firewall security can be extended with a data-centric security model in order to protect data and applications.
Maria Teigeiro is a Solutions Architect who has over 25 years of experience in the security field. A self-described “security magician,” Maria specializes in helping organizations out of their old access-centric, black and white perimeter security days, and into a data-centric security model.
In the eighth episode of the NextLabs Cybersecurity Expert Series, we sat down with Maria to gain some insights about how the role of firewalls in data security has evolved over time. She covers the early history of firewalls, their evolution, and what their role is in today’s rapidly evolving digital landscape. Read her insights below or watch the full Q&A video on our YouTube.
Where do firewalls come from and how were they created?
So, firewalls came from routers. In the early days of the internet, everybody just had routers to connect servers to each other. And over time, what they realized is, some security was necessary. You know, there are some places that you didn’t want everybody to get into. So, [companies] created filters on these routers to define which IP addresses they would allow to go to which other IP addresses. As things progress and the internet grew, they got a little bit more sophisticated and so these filters then started to be source IP address, source port number, destination IP address, destination port number, and then the action which was either drop or allow. In the early days of the internet, every server was a different TCP or UDP port number. So, we had SNMP which was UDP port number 161 and 162, mail was SNTP was port TCP 25. So, every server had its own port. As things progressed, we developed firewalls. And firewalls were designed with the idea of — it’s okay to pause because we are going to examine the traffic that is coming through and apply some security logic to it. So, these firewalls were cognizant of the TCP state — was this the connection that was open or was it not one that should be open anymore? And then, they also developed some intelligence around the traffic, understanding what the valid commands are. So, firewalls were built for security and with the understanding of the different protocols that were going through the firewalls.
How have things changed since the days of early firewalls?
So, as mentioned before, these firewalls were built around the concept of source IP address, source port number, destination IP address, destination port number. Of course, as the internet grew, these lists got extremely long. There were companies that I worked with, that literally had 50,000 entries in their firewall policy.
Then, we got a little bit more sophisticated, and started using this concept of zones. Zones were great, because we had the trust zone — the things that we trusted on the inside, and the untrust zone — the things on the outside that we didn’t trust. There was also the demilitarized zone (DMZ) that was kind of like the grey area between those two zones. Unfortunately, as we progress in our technology, so do the bad guys. So, malware started becoming more sophisticated, things were able to move from side to side, and therefore, the idea of zones wasn’t very useful. Beyond that, there is the fact that, these days everything is written over port 80 or 443. So, it’s http traffic or encrypted traffic, or TLS traffic that we don’t really have very much visibility into. If you look at the policy, you would just see that everything would be the source address, destination address, and everything would be port 80 or port 443. That’s not very effective anymore. What we’ve started doing is, we’ve started hanging all of these other things off of the firewall — for a secure web gateway that would use some URL filtering, we would hang a proxy to proxy the port 80 connections, we would have a secure email gateway to do some email inspection. So, firewalls really started getting a little bit less useful.
Where do firewalls work and fail in today’s architecture, and do we still need them?
In today’s day, we have a firewall with a lot of other ancillary devices hanging off to provide specialized services. Do I think firewalls are still useful? Absolutely. You still need to lock the front door; you still need some sense of what you’re allowing in and out. However, we need to look at things through a different lens. The concept of source IP address, and destination IP address does not work as much anymore. Everything is URLs. The same IP address may have dozens, and hundreds of thousands of URLs that are hanging off of it. And that might be some of the things that we may want to restrict access to. So, from that perspective, firewalls are not as valuable. Furthermore, most of the traffic is encrypted. Encrypted traffic is very expensive computationally to inspect. So, we start wondering if it makes sense to use that kind of a model anymore. At the end of the day, if you look at things today, there are HIPAA fines, and PCI fines. If we look at security through the lens of what we want to protect — we need to start with the data. So, a data-centric security model is really saying — let’s start with the data that we want to secure, determine the policies that apply to it, then look at security through that lens as opposed to what are we going to allow access to, and what we’re not going to allow access to.
How do you use zero-trust and data-centric security to extend firewall security?
When you start with the data, and you start securing things in that way, there is a need for zero trust model. A zero-trust model is saying that we’re not going to implicitly allow things– going back to our earlier discussion of early firewalls where there were zones, and we just allow everybody in one zone — we need to recognize that that’s just not appropriate. This is because malware can traverse laterally and infect things in there; we also need to recognize that different data requires different levels of access. So, when companies start with a data-centric security model,combining this with the concepts of zero-trust, and taking away the simplistic trust model, they really start going into a more sophisticated environment. This allows them to define policies based on which data is allowed to move, where it is allowed to move, and which users can have access to the data.
Discover more from NextLabs’ Expert Series, featuring industry experts in educational and thought-provoking conversations on Data-Centric Security, Zero Trust Architecture, Safeguarding AI, and more.
To comment on this post
Login to NextLabs Community
NextLabs seeks to provide helpful resources and easy to digest information on data-centric security related topics. To discuss and share insights on this resource with peers in the data security field, join the NextLabs community.
Don't have a NextLabs ID? Create an account.