Firewall – a tool not a solution
A line of defence
When the topic of security comes up many think of the firewall as the solution. In fact the firewall is a product – security is a state of mind. Security means different things to different people and much depends upon an individual or an organisational ‘appetite for risk’. Security is as much down to the individual’s attitude towards good practice as it is to the features of a highly specified intrusion detection system (IDS). Secure systems will consider all threats and employ practices, products and monitoring systems to evidence effectivness.
Firewalls are deployed to secure the perimiter of a network or sub-network. The perimiter may be to an untrusted public network such as the Internet, an internally segmented process network that requires data from a remote system or a remote maintainer gaining access from home or a hotel.
An un-monitored and un-patched firewall may provide certain individuals with a sence of security. Much like the ‘Emporer’s Clothes’ https://www.phrases.org.uk/meanings/the-emperors-new-clothes.html this sence of security wiill not keep the crown jewels safe from prying eyes. In cyber terms a targetted attack will compromise a vulnerability and, with no monitoring in place, the breach of security will likely go un-notivced.
A correctly deployed firewall is an extremely effective and therefore important tool in a network security system. The able to look into the data transmission header information and filter out (drop) unauthorised traffic flows, then report on the drop, is the primary firewall role. Following good practice, where two independant firewalls protect a process critical network from any untrusted network, a network perimeter can be robust and the benefits of using ‘open’ transmission technologies realised.
Awareness is the key
Operational ‘OT’ Technology networks (e.g. SCADA) tend to be predictable when it comes down to the devices in the system and the communication that they need. Determining what normal conenctivity and activity looks like is relatively straightforward. Understanding what normal looks like and setting various thresholds based upon normal allows the abnormal to be detected. Detection of abnormal network activity can be an indicator of failure, degraded operation or compromise.
IT4A have developed a network security operations centre service for OT environments that uses a combination of polling and generic device log data to visualise abmormal activity for further investigation.
If you would like to talk to IT4A, discuss and potentially review your security position, please contact us here.