II. Risk of Firewall in Universities

by JUCC ISTF
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */ 
 
 
Firewalls are one of the most critical devices or applications that protect universities' information systems and resources from unauthorised access or malicious attacks. To effectively utilise the security features of firewalls, accurate configuration and maintenance of rules shall be made by universities' network administrators and IT security staff in accordance with the Information Security Policy and any other applicable security standards (e.g. Acceptable Usage Standard). Inappropriate management of firewall systems may result in security flaws and risks that are unaware by the universities. Some examples are illustrated below.
 
Default or Improper Configurations

Most off-the-shelf firewall products are pre-set with default administrator login names and passwords. If they are not changed before being deployed into universities' networks, hackers may easily gain privileged access to firewalls by trying the default passwords used by popular vendors. If succeeded, hackers can modify the rule configuration and allow attacks to pass through the firewalls without notice.

Rely on default or improper firewall configuration would impose vulnerabilities on the access security as well as the effectiveness of traffic filtering function within the firewalls. As each university has its unique design of information systems and network infrastructure, firewalls may not be able to detect malicious packets or prohibited communication if the configuration is not tailor-made based on the IT security policy, procedures or standards.

Hardware or Software Failure

Firewall software or hardware is subject to accidental malfunction, deliberate sabotage or compromise. Without proper monitoring of firewall operation status by the IT operations team, such failures may go undetected for a prolonged period of time and create great exposures to both external and internal threats that harm universities' information security. 

Insecure Communication with Firewalls

In general, management of firewall configurations is performed remotely. If weak and insecure protocols are used in communication, firewall servers and applications are then vulnerable to various known exploitations that aim to compromise the communication channels and subsequently launch malicious attacks against the universities.

Conflict with Other Applications

Almost all applications with communication capabilities are created with the thought that there is no firewall in place. Moreover, the information on protocols and port numbers used by some applications are not available until they are executed. As a result, using a firewall may sometimes make certain features of the applications no longer work properly. In worse cases, the incompatibilities could result in service interruption or even loss of data.

Improper Change Management

When universities update their information security policy, procedures or standards, corresponding changes (if any) shall be made to the firewalls. Without undergoing the change process in a controlled manner, incorrect updates could be implemented, which prevents firewalls from complying with the information security requirement. Moreover, unexpected security and performance issues may arise if obsolete firewall rules are not timely removed.

Related Article

 

Keep Your Firewall Rulebase in Shape

Firewall rule which if unmanaged can leave gaping security holes, performance degradation and management issues. Firewall rules are born and modified as a result of access requests from users or IT projects. And over time, they become irrelevant - because applications, services and networks change, and users leave.

These unused or "stale" rules are a hidden menace to your firewall policy rulebase. First of all, they slow down performance - since the firewall has to scan all of the rules from the top for every traffic request. Second, they are a threat to security - they may leave access open to an unwanted visitor. And finally, they are a blow to manageability. Just like the firewall, you too need to go through the whole list of rules each time you handle a change request.

 

References: