Escalating Cyber Danger at the Edge
It’s been a tough time for “the edge,” as threat actors have made firewall vulnerabilities a particular target of their focus in the past few months. We feel for all the major players that have been hit by compromised firewalls, and we feel even more for the organizations they protect.
But we understand … “the edge” has been declared “dead” for years. The cybersecurity hype machine has moved on to other, sexier problems, so it’s easy to ignore or dismiss vulnerabilities in firewalls and other edge devices.
Why The Edge Lives On
For a number of different reasons, some companies – and even industries – still rely on on-premises systems and they’re not willing or able to migrate these services to the cloud.
Critical infrastructure is one of them. SCADA systems that control the operational mechanics of water lines and power grids simply can’t go anywhere. And while some old-school systems are effectively air-gapped by design or necessity, management and monitoring of these networks are increasingly interconnected with traditional IP networks – bringing security risks along with them.
It’s hard to move an entire water plant to “the cloud” (whatever that may mean), especially as OT infrastructure requires connectivity to physical resources. The same goes for a public library or a police station. Some legacy systems also present a challenge … some of those old operating systems or software platforms simply don’t have a home anywhere in the cloud.
And then there’s the issue of cost. Migrating servers, resources, or even the “edge” to any sort of cloud-based service can knock a lot of smaller businesses out of the running. Simply put, a lot of SMBs can’t afford the move, even if it makes sense strategically. I know one CIO who recently found it more cost-effective to physically dig up the ground and install fiber to their existing data centers rather than implement a dedicated SD-WAN solution.
Why Security the Edge Is So Tricky
While the cloud has created its own unique security issues, the traditional edge has some new challenges, too.
The edge is still vulnerable to traditional scans and exploits, so traditional tools like IPS/IDS and Threat Intelligence Gateways (TIGs) are still necessary for a defense-in-depth strategy.
That said, best-of-breed next-gen firewalls that take on those roles face real challenges on the modern edge. The performance of these “do-it-all” devices can suffer when they’re required to handle deep packet inspection, VPNs, and quasi-SD-WAN functionality, all while juggling routing and complicated network segmentation. (Not to mention the major vulnerabilities discovered recently.)
And the edge is still prone to network misconfiguration and human error. Because you have human interaction with these complicated firewalls – you’re managing VPNs, you’re managing new sorts of hybrid cloud connections, etc. – you inadvertently end up doing things like punching holes in the firewall that don’t need to be there, forgetting those holes are there, and then dealing with the inevitable unfortunate consequences.
Protecting Firewalls: When the Backup Needs Backup
Our Outpost is a unique answer to some of these challenges, hiding the edge of the network and effectively reducing the public network’s attack surface to zero.
Outpost can also boost the performance of overworked next-gen firewalls by reducing their traffic load by 70 to 90 percent. Here’s how:
- Threat feeds: Our proprietary threat feeds (CINS) block known scanners, known command and control servers, and known resources.
- Rogue packet detection: The Outpost has a couple clever tripwires that will block any reconnaissance of the public network, regardless of the nature of the traffic. This makes it nearly impossible for anyone probing the network to find your firewall (and its potential vulnerabilities).
- Scans, exploits, and other recon: Outpost can detect specific scans and exploits as they dig around looking for open ports and other holes in the firewall. When it does, it can shut them down completely, cutting off all communication between them and your network and leveraging Network Cloaking to make you all but invisible to outside attackers.
Positioned beyond the network’s edge (and beyond the firewall itself), our technology leverages:
- Autonomous threat defense that works for you so you and your team can focus on the work at hand
- Network Cloaking to turn your network dark to outside attackers
- A Threat Intelligence Gateway that blocks known threats at the door
- Enterprise-grade intrusion prevention to provide further automatic detection and protection
- Customized threat feeds that can be configured by country, ASN, or domain
- A team of security pros that are there to answer your questions and troubleshoot with you, 24/7
… And more. If you’re interested in learning how Outpost can secure your network’s edge against firewall vulnerabilities, contact one of our experts and get your questions answered by a human.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.