I Have Next Gen Firewall – Safe Now Right?

So you went ahead and took our advice¹,²,³ – (and many others advice). Spent good money($$) and got a nice NGFW(Next Gen FireWall).

How about the PA – Palo Alto?

nextgeneration-firewalls-palo-alto

So we gave the advice to get a NGFW last year and early this year in our posts. The PA may be one of the best new devices, but it still has to be hardened. And just to prove this: a German consulting co (ERNW.de) has done some tests on the PA appliance and posted their results at Troopers conference(4)  “Attacking Next Generation Firewalls”

trooperslogo

The security researchers analyzed the PA-500 appliance which has the PAN-OS software on it, and apparently it runs a slimmed down Command Line Interface (CLI) that is Linux in it’s core.

The researchers tried to attack the device using a couple of different methods. Including attacking the management network interface, the webpages that it has in 3 web server instances.

There are 3 attack surfaces:

  1. Management Interface
  2. content-id, app-id, and user-id from untrusted network segments
  3. Global protect/VPN from the Internet.

 

It is interesting what security researchers can do with a little bit of ingenuity and reverse engineering methods.

So I bet you are asking now – I really do not want to read a bunch of security mumbo jumbo I just want to know if it is safe or not?

Can somebody hack my new fangled NGFW? or Not?

I do not want to get into any more of the technical aspects and still answer the question: Yes somebody can hack your new-fangled device.

 

Because that is not what security is – a single device.

pseudocode

Security is a combination of things including state-of-the-art technology, but it is not only the technology.  Security is People-Technology – Process and the people-process are a big part of it.

You have to have personnel constantly keeping up with new attack methods and attacking your environment with new ideas including attacking your NGFW since the hackers don’t know the difference they just see the device as another ip address with stuff running on it.

In one of my previous posts(5) there is a list of departments at an enterprise:

Security operations, Threat Intel, desktop Encryption, Forensic department, vulnerability scanning, and management.

 

Why do you need so many people and specialties? Because each portion is a specific specialty and requires expertise.

The hackers have this organization:

cybercrime_underground_eng_7-1024x1024Kasperskylab

They have specialty people working on ways to bypass your operations department, they have the specialist spammer, the mules to transfer money and stuff, the distributors, and of course the malware writers.

Notice the specialization is similar as in security departments.

I don’t have to put details of the security researchers to tell you to quickly fix A, B, or C. That is what your secops people should be doing. they should be doing what is necessary as a matter of fact.

Because the criminals are knocking at your door, and checking you out. If you have a weakness –  they will find it… Eventually

 

Contact Me to discuss this if you have not set up the proper processes yet.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  1. http://oversitesentry.com/what-is-an-advanced-firewall-utm-ngfw/
  2. http://oversitesentry.com/2016-new-year-new-firewall-which-one/
  3. http://oversitesentry.com/2-steps-stops-all-cyberattacks/
  4. https://www.troopers.de/media/filer_public/a5/4d/a54da07e-3780-4f83-b4ac-8c620666a60a/paloalto_troopers.pdf
  5. http://oversitesentry.com/mentoring-future-it-cybersecurity-ethical-hackers/