This guide has been created to explain the importance of firewalls, whitelisting and blacklisting as part of your IT security protocols in order to protect your system and improve your understanding of this topic as an IT professional.
In this resource, we will also cover the key differences between using whitelists and blacklists, as well as why it is important that your security monitoring system includes ways to internally whitelist/blacklist IPs.
Why Are Firewalls So Important For Cybersecurity?
One of the most important security safeguards is controlling traffic attempting to access your network, if an unauthorized person or threat actor can’t reach a resource, they can’t compromise it. The main advantage of using a firewall includes blocking unauthorised users and traffic that could potentially harm your system.
A firewall acts as an essential barrier between the public network (the internet) and the local network (your devices). A firewall can block any incoming traffic that is attempting to hack into your devices and is also able to filter web traffic, emails and even geo-specific traffic coming from countries you’ve blocked.
Organisations can implement firewalls by using software, hardware, or a combination of both. In general, we can set a firewall policy to block all traffic, both incoming and outgoing (this can also be referred to as ingress and egress traffic).
Network administrators then set filtering policies within each firewall that specify what packets and traffic behaviour are allowed. The policies set against each firewall and what each firewall can filter depends on the type of firewall used. Types of firewalls include; packet filtering, circuit-level gateway, proxy, stateful inspection and next-generation firewalls (NGFW).
The importance of having a robust firewall can not be understated in situations where malware and ransomware want to access your system. In situations such as these, it is worth knowing that by simply having a firewall in place that blocks their command and control, some variants of ransomware will delete themselves from your system before doing any damage. This is because they don’t want to take the risk that your service is a honeypot and you end up decoding their exploit. So having a firewall in place is a really easy way to lower your risk threshold of becoming a victim of ransomware.
Firewall Log Management
In addition to using firewalls as a security measure, additional measures must be taken to protect the firewalls themselves. One of the most important safeguards is proactively using log management and log analysis. Firewall logs can alert security administrators that a threat actor is attempting to bypass your system. The CISSP’s common body of knowledge (CBK) lists the following firewall logs to focus on in the event of an attempted breach:
- Failure to start
- Runtime errors
- Unusual probes
- Configuration changes
- Failed login attempts
The Key Differences Between Whitelists & Blacklists
Understanding the role whitelists and blacklists play in cybersecurity is a crucial learning component that all engineers controlling access to sensitive data and systems need to understand in full.
If we look at an example of a traditional environment where a network has been built we may have a network where we have two servers which are on an open basic network.
Within this network, whenever we plug those servers in, they have reachability to each other so anything that they want to send to each other can go across the network. Basically, all traffic is allowed to go across and so any traffic, whether it's good or bad traffic, doesn’t matter as all of that traffic will be allowed to pass.
If we then want to go in and say okay, I’ve got one type of flow that I don’t want to allow, we then have to actually go in and set a specific rule to blacklist that type of flow for that type of traffic.
This is one of the standard ways that networks have been built over the years. If you think about what this means in the long term then the more threats and issues that we could possibly run into in an environment the more lists that we then have to build to provide specific blacklisting.
This can quickly end up becoming very complex and become the reason why over time an access control list or a firewall rule set can become extremely complex and can actually start weighing down the performance of the devices in the infrastructure.
We can then look at an example using the same network and the same two servers to show what a whitelist model would look like. The default method in a whitelist-based setup is that all traffic is actually blocked so when we plug these two servers in here no traffic can get through until we go in and set specific policies that permit traffic to pass.
To allow any traffic to pass we will now have to write a rule and go in and say from this server A to this server B we only want to allow these servers to speak to each other to allow that to happen. Everything else cannot pass until we write a very specific rule that allows the traffic to go through.
Whitelisting allows us to write a much more efficient set of rules. Instead of allowing everything except the traffic we know to be problematic, this method blocks everything and only allows the explicit traffic that we want to allow to pass when we write a rule for that.
Whitelisting allows us to be a lot more efficient in how we handle the traffic. The main downside of this approach is that in order to use a whitelist method you first have to have a good set of understanding of what your set of policies should be before you can start writing those rules. What is IP Whitelisting?
IP whitelisting allows you to create lists of trusted IP addresses and ranges from which your users can access your domains. IP whitelisting is a security feature often used for limiting and controlling access only to trusted users.
Why Is Firewalling Important For Your Security Or Log Management Platform?
When analysing your firewall logs within a security and analysis platform you will want to make sure that this platform is also secured from unauthorised access.
A log management platform such as the one provided by Logit.io, allows users to configure Firewall Groups to protect and secure their hosted Logstash endpoints. From here you can create a new Logstash Firewall Group and add the IP ranges you wish to Firewall. Setting firewall groups within the Logit.io platform improves the user’s security by restricting the IP addresses that can send data to specific ports on their stacks.
Logit.io works in step with your cybersecurity engineers by providing a platform that allows you to monitor all firewall logs within a centralised and fully secured platform.
The Logit.io platform also allows you to correlate any security logs for the purposes of creating reporting dashboards and conducting analysis to detect unusual activity occurring within your network.