Firewalls can either be software or hardware, though it’s best to have both. A software firewall is a program installed on each computer and regulates traffic through port numbers and applications, while a physical firewall is a piece of equipment installed between your network and gateway.
Packet-filtering firewalls, the most common type of firewall, examine packets and prohibit them from passing through if they don’t match an established security rule set. This type of firewall checks the packet’s source and destination IP addresses. If packets match those of an “allowed” rule on the firewall, then it is trusted to enter the network.
Packet-filtering firewalls are divided into two categories: stateful and stateless. Stateless firewalls examine packets independently of one another and lack context, making them easy targets for hackers. In contrast, stateful firewalls remember information about previously passed packets and are considered much more secure.
While packet-filtering firewalls can be effective, they ultimately provide very basic protection and can be very limited—for example, they can't determine if the contents of the request that's being sent will adversely affect the application it's reaching. If a malicious request that was allowed from a trusted source address would result in, say, the deletion of a database, the firewall would have no way of knowing that. Next-generation firewalls and proxy firewalls are more equipped to detect such threats.
Next-generation firewalls [NGFW] combine traditional firewall technology with additional functionality, such as encrypted traffic inspection, intrusion prevention systems, anti-virus, and more. Most notably, it includes deep packet inspection [DPI]. While basic firewalls only look at packet headers, deep packet inspection examines the data within the packet itself, enabling users to more effectively identify, categorize, or stop packets with malicious data. Learn about Forcepoint NGFW here.
Proxy firewalls filter network traffic at the application level. Unlike basic firewalls, the proxy acts an intermediary between two end systems. The client must send a request to the firewall, where it is then evaluated against a set of security rules and then permitted or blocked. Most notably, proxy firewalls monitor traffic for layer 7 protocols such as HTTP and FTP, and use both stateful and deep packet inspection to detect malicious traffic.
Network address translation [NAT] firewalls allow multiple devices with independent network addresses to connect to the internet using a single IP address, keeping individual IP addresses hidden. As a result, attackers scanning a network for IP addresses can't capture specific details, providing greater security against attacks. NAT firewalls are similar to proxy firewalls in that they act as an intermediary between a group of computers and outside traffic.
Stateful multilayer inspection [SMLI] firewalls filter packets at the network, transport, and application layers, comparing them against known trusted packets. Like NGFW firewalls, SMLI also examine the entire packet and only allow them to pass if they pass each layer individually. These firewalls examine packets to determine the state of the communication [thus the name] to ensure all initiated communication is only taking place with trusted sources.
What is Systems Hardening?
Systems hardening is a collection of tools, techniques, and best practices to reduce vulnerability in technology applications, systems, infrastructure, firmware, and other areas. The goal of systems hardening is to reduce security risk by eliminating potential attack vector s and condensing the system’s attack surface. By removing superfluous programs, accounts functions, applications, ports, permissions, access, etc. attackers and malware have fewer opportunities to gain a foothold within your IT ecosystem.
Systems hardening demands a methodical approach to audit, identify, close, and control potential security vulnerabilities throughout your organization. There are several types of system hardening activities, including:
Application hardening
Operating system hardening
Server hardening
Endpoint hardening
Database hardening
Network hardening
Although the principles of system hardening are universal, specific tools and techniques do vary depending on the type of hardening you are carrying out. System hardening is needed throughout the lifecycle of technology, from initial installation, through configuration, maintenance, and support, to end-of-life decommissioning. Systems hardening is also a requirement of mandates such as PCI DSS and HIPAA, and is increasingly demanded by cyber insurers.
Default and hardcoded passwords
Passwords and other credentials stored in plain text files
Unpatched software and firmware vulnerabilities
Poorly configured BIOS, firewalls, ports, servers, switches, routers, or other parts of the infrastructure
Unencrypted network traffic or data at rest
Lack, or deficiency, of privileged access controls
How do you Harden a System?
You harden a system by reducing the “attack surface,” the combination of all the potential flaws and backdoors in technology can be exploited by threat actors. These vulnerabilities can occur in many ways. Common attack surface vulnerabilities include:
- Default passwords – Attackers can leverage automated password crackers to guess the defaults. The attack surface this presents could be large if the same defaults are used across many different endpoints--from desktops to IoT--or accounts.
- Hardcoded passwords and other credentials stored in plain text files can increase the attack surface in a couple important ways. If they are forgotten in deployed code or otherwise publicly exposed, the hardcoded credentials can provide a backdoor into the organization.
- Unpatched software and firmware vulnerabilities are historically one of the biggest contributors to attack surfaces. While patching will mitigate a vulnerability, patches are not always available as in the case of zero day threats. Moreover, some patches may be too disruptive to implement or not economically feasible.
- Lack, or deficiency, of privileged access controls. With the expansion of the cloud and all things digital transformation privileged accounts and access has exploded. The privileged account attack surface is not just humans and employees, but also increasingly involves machines and vendors. In cloud environments, privileged access and accounts may be dynamic and ephemeral, further complicating efforts to gain visibility and control over this massive risk.
- Poorly configured BIOS, firewalls, ports, servers, switches, routers, or other parts of the infrastructure. With the strong growth in cloud and hybrid infrastructure, IT environments are becoming increasingly complex. This complexity is fertile ground for misconfigurations not only can cause systems to crash or misfire, but also can create dangerous security holes. Misconfigurations like open ports have resulted in some of the worst cloud breaches in recent years, such as by inadvertently exposing data buckets or providing publicly accessible backdoors to critical infrastructure
- Unencrypted, or inadequately encrypted, network traffic or data at rest can make it easy for attackers to access data or eavesdrop on conversations and access and potentially gain important information [such as passwords] needed to advance an attack.
Additionally, the Center for Internet Security [CIS] maintains updated guidelines on their site around best practice system configurations for specific use cases. The CIS Benchmarks include over 100 guidelines across 25 vendor product families [Amazon Linux, Amazon AWS, Apple iOS, Apple macOS, Checkpoint Firewall, Cisco, Docker, Google Cloud, Microsoft Azure, etc.].
10 Best Practices for Systems Hardening
The type of hardening you carry out depends on the risks in your existing technology, the resources you have available, and the priority for making fixes.
Audit your existing systems: Carry out a comprehensive audit of your existing technology[you can use]. Use penetration testing, vulnerability scanning, configuration management, and other security auditing tools to find flaws in the system and prioritize fixes. Conduct system hardening assessments against resources using industry standards from NIST, Microsoft, CIS, DISA, etc.
Create a strategy for systems hardening: You do not need to harden all of your systems at once. Instead, create a strategy and plan based on risks identified within your technology ecosystem, and use a phased approach to remediate the biggest flaws.
Patch vulnerabilities immediately: Ensure you have an automated and comprehensive vulnerability identification and patching system in place. Systematically identify vulnerabilities and prioritize remediation. In some instances, vulnerabilities cannot be patched. In these instances, ensure there are other mitigations in place, such as removing admin rights—which many exploits need in order to exploit a vulnerability, and/or have cyber insurance in place.
Network hardening: Ensure your firewall is properly configured and all rules are regularly audited; secure remote access points and users; block any unused or unneeded open network ports; disable and remove unnecessary protocols and services; implement access lists; encrypt network traffic.
Server hardening: Put all company hosted servers in a secure datacenter; never test hardening on production servers; always harden servers before connecting them to the internet or external networks; avoid installing unnecessary software on a server; segregate servers appropriately; ensure superuser and administrative shares are properly set up, and rights and access are limited in line with the principle of least privilege. With cloud environments, it is also particularly important to reduce port exposure so data is not inadvertently leaked, or backdoor access provided to infrastructure.
Endpoint hardening: Remove local admin rights on all Windows and macOS endpoints. Ensure no workstations, laptops, or IoT have default passwords. Remove any unneeded software and block any unnecessary communications.
Application hardening: Remove any components or functions you do not need; restrict access to applications based on user roles and context [such as with application control]; remove all sample files and default passwords. Application passwords should then be managed via an application password management/privileged password management solution, that enforces password best practices [password rotation, length, etc.]. Hardening of applications should also entail inspecting integrations with other applications and systems, and removing, or reducing, unnecessary integration components and privileges.
Database hardening: Create admin restrictions, such as by controlling privileged access, on what users can do in a database; turn on node checking to verify applications and users; encrypt database information—both in transit and at rest; enforce secure passwords; introduce role-based access control [RBAC] privileges; remove unused accounts;
Operating system hardening: Apply OS updates, service packs, and patches automatically; remove unnecessary drivers, file sharing, libraries, software, services, and functionality; encrypt local storage; tighten registry and other systems permissions; log all activity, errors, and warnings; implement privileged user controls.
Eliminate unnecessary accounts and privileges: Enforce least privilege by removing unnecessary accounts [such as orphaned accounts and unused accounts] and privileges throughout your IT infrastructure. This is one of the most powerful security practices for reducing the attack surface.
Benefits of Systems Hardening
Systems hardening requires continuous effort, but the diligence will pay off in substantive ways across your organization via:
Enhanced system functionality: Since fewer programs and less functionality means there is less risk of operational issues, misconfigurations, incompatibilities, and compromise.
Significantly improved security: A reduced attack surface translates into a lower risk of data breaches, unauthorized access, systems hacking, or malware.
Simplified compliance and auditability: Fewer programs and accounts coupled with a less complex environment means auditing the environment will usually be more transparent and straightforward.