Host-Based Firewalls - A Possible Nightmare for IT Pros

With increasing remote workforce process during Covid-19, clients are now more independent with their laptops and mobile phones that also being used for personal usage besides organizational usage. Not only workers, but also computers and data are now outside the organization and most of the protection layers such as firewall and IPS. Vulnerabilities and attacks continue to surface but remote users’ connection and VPN also create troubles for IT teams to patch  and protect the clients.

 

Host-based firewalls help security professionals in many subject. Firstly, it controls the incoming and outgoing traffic, so becomes a very critical defense layers. For example, security pros may want to block all inbound connection to the client host initiated from outside. This is a very basic protection on some kinds of malwares.

Some sensitive applications like Swift, should be isolated from the network in the organization. But sometimes it is not an effective solution to create vlans for a few PCs or servers. For the situations like that, host-based firewalls are true saviors. These sensitive PCs and servers can be isolated with host-based firewalls. Since most of the antivirus agents also includes host-based firewall feature, this solution becomes easier and more logical. 

Meanwhile, organizations should not make it a habit. In large organizations having thousands of PCs and servers, this isolations on host-based firewalls can easily turn into a nightmare, since hundreds of rules have to be written. If these rules are not followed properly, also with the circulation in the administration team, a possible mixed rules can harm PCs and network more than they protect. It is inevitable that every rule for each small groups makes the rule list more complex, and it becomes more possible to make a mistake while adding new rules.

So, even if host-based firewalls are important and valuable solutions, they should be used as needed, and should not be a regular solution for isolation situations. 

"MUST" Practices for AntiVirus

Last week, I hearth that an organization did not add antivirus agent to their PC image. They are formatting the PC with their image, then connecting to the network and waiting for the sccm installing the antivirus software to the PC. Also, for remote users working on the field, some contracted partners are formatting the PCs since these users cannot come to the company, they then join to the network via VPN after formatting and keeps working. Meanwhile, the IT team is waiting for the sccm install the antivirus software, but because of the VPN network, most of the time it fails. PC keeps working on the network for days. 

While I was sharing this situation with some friends in the industry, some of them also said that it is a normal process for the organizations. So, I wanted to write this article. 

A few months ago, I shared a post about falling of the AV. It is true that AV softwares are not very efficient in recent years. There are many other measures need to be taken to protect the endpoints. However, most of these measures are for APT attacks. As everyone says, and also I touch in the article, attackers' profile and techniques has changed a lot, since the times AV was popular and successful. But, despite all these situations, nobody can say that AVs are not necessary anymore. Organizations does not face attackers that using highly advanced techniques and tools only. There are still many script kiddies and those trying to learn hacking. These people are always looking for easy vulnerabilities to hack. It is very great possibility they find you. 

Another subject about AV, because of the hash databases downloaded, they can protect users for many of the malicious events, also while they are offline, or while they are not connected to the office. 

Even, most of the AV softwares are improving themselves with behavioral and AI capabilities. So, these can also detect and stop some of the APT attack phases. 

I am also curious your comments, but my opinion is an AV is still indispensable for all organizations. So, I want to some best (must) practices for using AV in an organization;

        - An AV software should be installed on all devices. Clients should be periodically followed whether has AV on it or not. If it is possible, a NAC solution should be positioned and PCs that does not have AV should be blocked.

        - AV solution should be centrally managed. So, updates can be managed centrally and out of date clients can be followed. 

        - Administrators should make sure all clients are sending logs properly. It is very important to response a suspicious situation quickly. 

        - AV software should be updated periodically. Meanwhile, administrators also should be sure that all clients are getting the latest updates properly.

        - AV software should be included into the PC and servers' regular images. When a PC formatted and re-installed, it should include AV before connecting the network. 

        - Users should not be able to disable the AV services and agent. Tamper protection and an uninstall password should be used and should be stored in a password management system. 

        - Malicious files should be blocked and quarantined to be analyzed by the administrators. 

        - Audit logs should be collected properly. Administrators should login to the software only by their own usernames. Generic usernames should not be used. 

        - Too many exceptions should not be given. If needed, exceptions should be given only as stated by the vendors. 

        - If including, host-based IDS should be enabled on the AV agent.