With greater visibility comes increased response

As our manager tests an advanced firewall, several events that would have gone undetected come to light.

I mentioned in a previous article that we are using a "loaner" Palo Alto Networks firewall, with all the bells and whistles. Our testing led to all sorts of interesting discoveries, and I certainly hope that the executive staff will agree that the increased visibility makes this sort of new-generation firewall well worth the investment.

Not wanting to disrupt business operations, I tested the device on a SPAN port that monitors traffic in and out of our network and in between. When I say "in between" I'm referring to a SPAN port that monitors traffic between the corporate network and our data center. That placement gave us visibility into attacks originating internally against our internal data center resources. (If we decide to purchase the PAN firewall or something similar, we'll move it in-line and replace our current firewall.)

Lacking a 24/7 security operations center (someday maybe?), I set up the firewall to forward email alerts for events that I think are indicative of compromise. One thing I was very interested in was detecting threats against our source code repository, which I consider one of the five most critical assets in our organization. Sure enough, earlier this week I received an alert that an SSH brute-force attack against the server containing our source code had been detected. This alert triggers when more than 20 login attempts are made within 60 seconds.

We tracked down the source of this attack and learned that it wasn't really an attack at all. Rather, one of our software engineers had recently changed his Windows domain password, which is used to log into our source code repository, but never changed some scripts he had in PhpStorm, a utility to edit PHP code. One script kept trying to log into the repository with his previous credentials, which of course didn't work, and the multiple attempts appeared to be a brute-force attempt from his PC. Although this was a false positive, I'd still prefer to know when this sort of thing is happening. And it seems clear that if we do get hit with a real brute-force attack, the firewall will let us know about it.

I also like that the firewall can easily detect BitTorrent traffic, which carries all sorts of security and legal problems but is also a prodigious consumer of bandwidth. We got a ping about this as well, and once again we traced the problem to a software engineer's PC. He swore he wasn't using BitTorrent, but a review of his PC turned up an installation of Popcorn Time, which is an open-source BitTorrent client that serves as a cost-free alternative to services such as Netflix. The engineer likes to stream movies during late-night product releases. He just hadn't thought of it as BitTorrent. After I recited our objections to such software, he promised to stop using Popcorn Time. Then I figured that if a software engineer could make that mistake, I should do a little companywide education. I will include a warning in my next quarterly security awareness email to remind employees of the policy against using apps such as Torrents, remote control software such as LogMeIn and hacking software, which I've also received alerts about, when someone downloaded Nessus and decided to scan our data center.

Next up was something more serious, a critical alert regarding Rig Exploit Kit detection. The Rig Exploit Kit has been around for a little over a year and is a highly configurable piece of malware able to deliver various types of attacks, including Cryptolocker, which encrypts data on a PC and can't be undone without paying a ransom. We ran our antivirus client and an independent malware detection tool on the PC in question, but neither came up with anything. Still, though, the firewall was flagging the PC as infected. We couldn't risk it, and we didn't have the time to conduct a deep forensic analysis of the PC, so I had our IT department wipe the PC and reimage. Naturally, the user was upset about the inconvenience, but after I explained the potential for harm, she understood. Was this another false positive? I don't know, but all in all I'd rather play it safe. And I'm glad we had a tool that could warn us about the problem.

Other events amounted to little more than noise, since they were all things that we really can't do anything about: SQL injection attempts, cross-site scripting, efforts to obtain the /etc/passwd file, port scans, and multiple authentication attempts against applications that we expose to the Internet. Those are things that I consider the cost of doing business on the Internet, where the entire world could be an adversary. We don't really need a new-generation firewall to tell us about them, but I don't object to having the reminders.

But the other alerts, even the false positives, affirm my defense-in-depth strategy and my focus on hardening our outer shell and inner core. I think a new firewall is in my future.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Click here for more security articles.

Join the Computerworld newsletter!

Error: Please check your email address.

Tags palo alto networkssecurityfirewall

More about 24/7ClickLogMeInNetflixPalo Alto NetworksSPANSSH

Show Comments