Posts Tagged ‘firewalls’

Editor’s Note: This is part three in a three-part series on remote access in harsh environments. Part one of series details the emergence of harsh environment threats, while part two covers the risks of outdoor access points

By Patrick Oliver Graf, General Manager NCP engineering

VPN: The Indispensable Barrier

So then, how do you secure SCADA systems against such attacks? The answer is simple, with the same measures as a regular corporate network.  This means, providing a protective mechanism, like firewalls, between regulation and control units and external Internet traffic. Firewalls analyze each access to the system, and block suspicious traffic or access to certain ports.

Furthermore, IPsec VPNs, with DES or AES encryption, are essential. When using protected tunnels to send data traffic, it’s impossible for hackers to listen in to data packets of PLCs, Local Control Units or RTUs, analyze them and draw conclusions to the technologies and systems employed in the SCADA network at hand. If the SCADA infrastructure is decentralized and has endpoints in various locations, it is sensible to implement an additional VPN server and a gateway. In this, the gateway acts as firewall and guardian by deciding which data of which systems receive network access.

Today, controls, data capturing systems and automation systems are similarly prone to hacker attacks as PCs, server and notebooks in a LAN. Therefore, those systems need the same amount of protection. This is especially true for systems with remote access connections. And remote access requires the use of VPNs and the corresponding server, clients and gateways. With that, a VPN is indispensable – even in harsh environments.

By Dr. Avishai Wool

Practically every corporation that is connected to the Internet uses firewalls as the first line of its cyber-defense. However, the protection these firewalls provide is only as good as the policy they are configured to implement. It has been said that the single most important factor of your firewall’s security is how you configure it, yet according to feedback provided by payment card brands and PCI auditing firms, 80 percent of firewalls examined in a breach investigation are misconfigured.

Curious about this phenomenon, I obtained rule-sets from a variety of corporations that use the AlgoSec Firewall Analyzer [ed. note: Wool is CTO of AlgoSec]. Considering 36 vendor-neutral configuration errors that create risk behind the firewall, I evaluated more than 80 Check Point and Cisco firewall rule sets. After determining a measure of firewall complexity for each vendor, I discovered that indeed firewalls are poorly configured – and that there is a strong correlation between a rule-set’s complexity and the number of detected configuration errors.

Serious errors are alarmingly frequent. For instance, Microsoft services, which are a vector to numerous Internet worms, are allowed to enter networks from the outside in 42 percent of the surveyed firewalls. Furthermore, among the most complex firewalls, I detected at least 20  errors in 75 percent of the configurations.

Complex firewall rule-sets are too difficult for their administrators to manage effectively. It is safer to limit the complexity of a firewall rule-set. For example, instead of connecting an additional subnet to the primary firewall, which in turn generates more rules and objects, a company can reduce its risk by installing a dedicated firewall to protect the new subnet.

As my research indicates, there are very few high-complexity rule sets that are well-configured. Furthermore, there is a clear correlation between rule set complexity and the number of detected errors. Thus, we can say that for well-configured firewalls, good things come in small packages.

Dr. Avishai Wool is CTO of AlgoSec, a network security policy management company. 

[tweetmeme source=”vpnhaus” only_single=false]