IT staff know that firewalls are necessary to protect internal corporate digital assets from the public Internet, but implementing the right one with the right policies can be a challenge to an inexperienced system administrator. The wrong firewall configuration can cause massive damage to the business when an attacker is able to bypass cybersecurity defenses. Using the Kipling Method with a segmentation firewall can improve cybersecurity defenses and change network architecture to a true zero-trust system.
What is the Kipling Method?
The Kipling Method uses a system that simply asks who, what, where and how whenever a resource wants access to data. A resource could be a user, application, or another machine on the network. Any access from any source should be monitored, and the Kipling Method defines the data that should be logged. With this data, a system administrator can perform forensics during an ongoing attack, or this data can be used by artificial intelligence (AI) intrusion detection services to stop an attack.
Using the Kipling Method, system administrators have a map of information that must be logged and reviewed for every digital asset. This method can be applied to firewall configurations when system administrators decide how to segment and monitor traffic. Since firewalls are responsible for the traffic allowed within a network segment, it’s imperative that configurations are set up correctly to ensure that the wrong traffic can’t “bleed” into segments with sensitive data.
Why Segment the Network?
In a zero-trust network environment, every resource and user are considered a threat. To protect from data eavesdropping and privilege abuse, the network is segmented based on department functions. The importance of network segmentation can be demonstrated by the Target data breach in 2013.
Target suffered a data breach from several cybersecurity blunders, but the start of the breach was after a successful phishing attack on one of Target’s HVAC contractors who had access to the local network. Attackers were able to steal these network credentials from the contractor using a standard, basic phishing attack and then were able to gain access to network resources.
With stolen credentials, attackers were able to traverse the network and install malware on point-of-sale (POS) systems. On the internal network, attackers found that the payment systems were located on the same segment as other traffic. This mistake gave attackers access to payment system data as it moved across the network, which was passed unencrypted across the local network. This mistake facilitated theft of millions of credit card numbers from Target customers. The breach cost Target $145 million in legal fees, settlements, and brand damage.
Instead of allowing all traffic on one large network, firewall segmentation should separate resources based on work function. For example, the finance department should have its own segment, servers should their own segment, and the sales department should also have its own segment. With these segments in place, firewall rules can follow the Kipling Method of logging every request for resources with enough information that will lead to a thorough forensics investigation after a breach.
Segmenting the network also stops eavesdropping by insider threats. An employee on the network could run software that intercepts traffic and steals data from transactions, but any attacker that steals credentials would be limited to a particular network segment based on firewall rules and logging would trip notifications on an intrusion detection system.
Layer 3 versus Layer 7 Firewall Segmentation
Firewalls monitor and block traffic based on data presented in layers. These layers are defined using the Open Systems Interconnection (OSI) model. Each layer in the OSI model contains information about a resource or application, and all network hardware and software applications run on a specific layer. Firewalls run on layer 3 (the network layer) or layer 7 (the application layer).
Traditionally, older firewalls run on layer 3 of the OSI model. Layer 3 contains packet information. Data transferred with TCP/IP contains specific information on each packet that a layer 3 firewall logs. The three main data points logged on a layer 3 network firewall are IP address, port and protocol. An IP address can be spoofed, and attackers frequently scan a firewall for all common ports to identify if they are open. The protocol is not useful information other then identifying the “language” between two resources during communication. An administrator can block protocols, but it’s more common to block the port for unwanted applications.
Layer 7 firewalls base logging and statistics on the application layer of the OSI model. Application layer firewalls can retrieve and process a greater amount of data from network traffic. Because of the additional information, the segmentation firewall can better handle traffic, filter it when needed, and alert administrators when suspicious traffic is blocked.
Using newer layer 7 firewall technologies, an administrator can also implement the Kipling Method. An application layer firewall will log the user account, the application used to request data, the time at which the request came in, the type of device used (e.g., a workstation or other network resource), classification of the data requested, and the content ID for the resource. It should be noted that application layer firewalls have powerful logging mechanisms, but it’s up to the administrator to properly configure them. Just like layer 3 firewalls, an application layer firewall can be misconfigured rendering it incapable of filtering and allowing the right traffic.
Think of a layer 3 firewall as a basic “yes or no” network resource that allows or disallows traffic based on basic information. For instance, a system administrator can use a layer 3 firewall to open port 80 to a web server. However, a layer 7 firewall will examine the data within traffic packets and allow or disallow a request based on the packet’s content. An administrator could use both firewalls based on the type of filtering needed. For a perimeter firewall that must block all public traffic, a layer 3 firewall will suffice, but an application layer firewall would be necessary for more granular filtering.
The Kipling Method helps with several cybersecurity defenses. It works together with network authorization to build a zero-trust network, which limits damage from a breach. It also defines the way firewalls should log information about traffic on the network. Firewalls should log who, what, where, when and how so that forensics are easier after a breach. Using the Kipling Method along with network segmentation, an organization can avoid the same mistakes made by businesses involved in some of the biggest data breaches to date.