With an up-to-date firewall, do the OSs behind the firewall pose a risk?
December 6, 2021 3:12 PM Subscribe
Say you have an updated firewall, how would having older obsolete versions of operating systems behind the firewall post a security risk?
I'm standing up my understanding of IT security. I thought that having a modern firewall would prevent most attacks from penetrating a network. Once a malicious actor is in your network, does it matter what versions of server and workstation operating systems exist behind your firewall? I'm guessing that more modern OSs would slow the attacker's advancement in your network and the attacker wouldn't be able to utilize known exploits to access the data in these various servers/databases. Older versions of operating systems might also give your attacker places to hide.
I'm standing up my understanding of IT security. I thought that having a modern firewall would prevent most attacks from penetrating a network. Once a malicious actor is in your network, does it matter what versions of server and workstation operating systems exist behind your firewall? I'm guessing that more modern OSs would slow the attacker's advancement in your network and the attacker wouldn't be able to utilize known exploits to access the data in these various servers/databases. Older versions of operating systems might also give your attacker places to hide.
To add to that, the risk is that they have vulnerabilities that are well known. Vulnerabilities like that don't exist in the current OS version for very long once we know about them, because someone fixes them and releases an update, but they exist on your box forever if you don't update it. So older OSes are a lot more vulnerable to known attacks.
posted by How much is that froggie in the window at 4:11 PM on December 6, 2021 [1 favorite]
posted by How much is that froggie in the window at 4:11 PM on December 6, 2021 [1 favorite]
The majority of attacks you're going to see are malware running on computers inside your network. Traditional firewalls do effectively nothing to prevent this. More sophisticated firewalls attempt to prevent it either by analyzing payloads, blocking known bad sites, or other heuristics and blocklists. But to say that these techniques are imperfect is incredibly generous. A firewall absolutely can not be relied upon to prevent your users from getting malware on their machines. And even if it could, the moment you allow a single machine that has ever been on another network onto your network, you can make zero assumptions about what the firewall might have stopped. (Like, do you have any laptops? Do you allow personally-owned smartphones on your network? Do you let vendors, suppliers, sales people, or any other stranger connect to your network to make a presentation or something? Are you sure no one in your entire company allows that even if policy disallows it?).
I tend to be of the belief that firewalls are mostly useless at this point. Yes, you need to have them to stop the really annoying stuff, but they won't reliably block the threats that are truly devastating, like ransomware someone got because they opened an "invoice" that came from a spoofed email address of one of their colleagues.
Do not rely on firewalls to solve your OS patching issues.
posted by primethyme at 4:25 PM on December 6, 2021 [6 favorites]
I tend to be of the belief that firewalls are mostly useless at this point. Yes, you need to have them to stop the really annoying stuff, but they won't reliably block the threats that are truly devastating, like ransomware someone got because they opened an "invoice" that came from a spoofed email address of one of their colleagues.
Do not rely on firewalls to solve your OS patching issues.
posted by primethyme at 4:25 PM on December 6, 2021 [6 favorites]
Firewalls and up-to-date operating systems are protective against different classes of attack.
Firewalls will stop machines outside the firewall from initiating unauthorised contact with machines inside it, and can also be configured to block attempts by machines inside to contact selected machines outside, and they can also run intrusion detection systems that look for unusual patterns of network activity.
What they won't do is stop your fourteen year old child becoming enamoured of some bogus web game and launching it in their browser, or stop you from mistaking a well crafted phishing email for the real deal in a moment of inattention and doing something essentially equivalent, or stop your father in law from downloading and installing malware disguised as a PC performance optimizer. All of these attacks arrive in exactly the same way as completely legitimate web traffic and your firewall will never even see them.
Once you've got untrustworthy code running on a machine inside your network, the only real protection you have left is application suites and operating systems with as few active security holes as you can possibly arrange for. Because there are endless ways for that code to run command-and-control traffic in and out of your network in ways that your firewall can't block without also making your internet connection essentially useless.
Worst-case scenario is of course no firewall and a shitty old OS that exposes network services with known vulnerabilities and an browser with no ad blocker likewise. Run that configuration and it will be minutes before you've got malware running inside your LAN with zero action required on your part to have installed it.
posted by flabdablet at 4:28 PM on December 6, 2021 [3 favorites]
Firewalls will stop machines outside the firewall from initiating unauthorised contact with machines inside it, and can also be configured to block attempts by machines inside to contact selected machines outside, and they can also run intrusion detection systems that look for unusual patterns of network activity.
What they won't do is stop your fourteen year old child becoming enamoured of some bogus web game and launching it in their browser, or stop you from mistaking a well crafted phishing email for the real deal in a moment of inattention and doing something essentially equivalent, or stop your father in law from downloading and installing malware disguised as a PC performance optimizer. All of these attacks arrive in exactly the same way as completely legitimate web traffic and your firewall will never even see them.
Once you've got untrustworthy code running on a machine inside your network, the only real protection you have left is application suites and operating systems with as few active security holes as you can possibly arrange for. Because there are endless ways for that code to run command-and-control traffic in and out of your network in ways that your firewall can't block without also making your internet connection essentially useless.
Worst-case scenario is of course no firewall and a shitty old OS that exposes network services with known vulnerabilities and an browser with no ad blocker likewise. Run that configuration and it will be minutes before you've got malware running inside your LAN with zero action required on your part to have installed it.
posted by flabdablet at 4:28 PM on December 6, 2021 [3 favorites]
I'm standing up my understanding of IT security.
The very first thing you need to do, then, is get rid of all the guff that Hollywood has been busy exploiting known vulnerabilities in your own wetware to get installed inside your own head for the last fifty years. If your present mental picture of the threats against your network looks anything like a genius hacker in a basement somewhere hopping from target to flashily rendered 3D wireframe target until they get you, drop that immediately. Because that scenario is actually super rare even without the spurious SFX (and never happens at all with them).
The main thing you need for a good understanding of IT security is good threat modelling: what kinds of adversary do you face, what do they want, how do they aim to get it, why are they aiming to get it from you, and how can you tell when they have?
The overwhelmingly most common threat in 2021 is having your machines coopted as members of a bot army, where some usually fairly unobtrusive code gets installed, most often via scripts supplied by compromised advertising servers exploiting unpatched flaws in old browsers and operating systems, and periodically reaches outward through your firewall looking for further instructions from some remote commander/controller, disguising that traffic as the most banal and ordinary kind of web request so your firewall won't spot it. And once a bot gets activated, the most common thing it's going to be doing is issuing absolutely normal web traffic as far as your end's concerned.
Next most important would probably be ransomware, which is designed to exploit multiple kinds of vulnerability (including all of those noted above for bot army conscription) and propagate rapidly from machine to machine once inside an environment of mutual trust like the typical home LAN. Having a firewall between the LAN and the outside world won't stop that kind of spread either.
Sound IT security is about defence in depth. The ultimate fallback is always going to be to shut everything down and rebuild it all from clean backups, but that's work-intensive and time-consuming so you need multiple layers of threat detection and prevention to catch these things early enough to avoid it. Even so, getting some kind of reliable backup strategy squared away, where you've always got at least one known-good backup completely offline so that nothing can touch it while you're not looking, is the first thing to pay attention to before you even network your first machine.
posted by flabdablet at 4:50 PM on December 6, 2021 [1 favorite]
The very first thing you need to do, then, is get rid of all the guff that Hollywood has been busy exploiting known vulnerabilities in your own wetware to get installed inside your own head for the last fifty years. If your present mental picture of the threats against your network looks anything like a genius hacker in a basement somewhere hopping from target to flashily rendered 3D wireframe target until they get you, drop that immediately. Because that scenario is actually super rare even without the spurious SFX (and never happens at all with them).
The main thing you need for a good understanding of IT security is good threat modelling: what kinds of adversary do you face, what do they want, how do they aim to get it, why are they aiming to get it from you, and how can you tell when they have?
The overwhelmingly most common threat in 2021 is having your machines coopted as members of a bot army, where some usually fairly unobtrusive code gets installed, most often via scripts supplied by compromised advertising servers exploiting unpatched flaws in old browsers and operating systems, and periodically reaches outward through your firewall looking for further instructions from some remote commander/controller, disguising that traffic as the most banal and ordinary kind of web request so your firewall won't spot it. And once a bot gets activated, the most common thing it's going to be doing is issuing absolutely normal web traffic as far as your end's concerned.
Next most important would probably be ransomware, which is designed to exploit multiple kinds of vulnerability (including all of those noted above for bot army conscription) and propagate rapidly from machine to machine once inside an environment of mutual trust like the typical home LAN. Having a firewall between the LAN and the outside world won't stop that kind of spread either.
Sound IT security is about defence in depth. The ultimate fallback is always going to be to shut everything down and rebuild it all from clean backups, but that's work-intensive and time-consuming so you need multiple layers of threat detection and prevention to catch these things early enough to avoid it. Even so, getting some kind of reliable backup strategy squared away, where you've always got at least one known-good backup completely offline so that nothing can touch it while you're not looking, is the first thing to pay attention to before you even network your first machine.
posted by flabdablet at 4:50 PM on December 6, 2021 [1 favorite]
Best answer: Once a malicious actor is in your network, does it matter what versions of server and workstation operating systems exist behind your firewall
You can look at attacks like WannaCry. WannaCry was able to rapidly infect and destroy an entire network of vulnerable machines once it got inside. Now, a good firewall would certainly have helped prevent it ever getting inside, but if the machines on the network had been updated, WannaCry would not have been able to effortlessly infect and crypto-lock the entire network in one go just by infecting one machine.
Certainly a persistent hacker could start with one machine and slowly work their way around to other machines using pilfered credentials and so on, but that's hard and takes time. It also might be noticed before damage was done. WannaCry was fire and forget, because entire networks of machines were all left unpatched.
posted by BungaDunga at 7:43 PM on December 6, 2021
You can look at attacks like WannaCry. WannaCry was able to rapidly infect and destroy an entire network of vulnerable machines once it got inside. Now, a good firewall would certainly have helped prevent it ever getting inside, but if the machines on the network had been updated, WannaCry would not have been able to effortlessly infect and crypto-lock the entire network in one go just by infecting one machine.
Certainly a persistent hacker could start with one machine and slowly work their way around to other machines using pilfered credentials and so on, but that's hard and takes time. It also might be noticed before damage was done. WannaCry was fire and forget, because entire networks of machines were all left unpatched.
posted by BungaDunga at 7:43 PM on December 6, 2021
It's important to distinguish here between servers and workstations/laptops. Firewalls are essential for server setups because any outgoing traffic should be known in advance and highly constrained. So you want to set up a firewall that will prevent unexpected incoming traffic (e.g., if it's a web server, to all ports other than 80 and maybe port 22) and also unexpected outgoing traffic (should your server be able to access random websites on the internet? Probably not, right?)
If you do this right, this reduces the attack surface drastically -- pretty much what you're left with is unpatched web server or web application bugs, and ideally the attacker is confined to that one server because the firewall isolates them from other applications too. In this case, unpatched OS bugs are an unlikely source of initial entry, but more likely would be used for privilege escalation once an attacker is in.
As others are saying, though, workstations are a different story because people use them for lots of different stuff, and no firewall can be restrictive enough to block a lot of threats while still letting people use their computers. Which brings me to another very important thing you can do if you're running servers, which is to put them as far away from your workstations as possible! Ideally on a different physical network with a firewall between them, and hopefully requiring users to regularly enter strong credentials (password + 2FA) to get from one to the other. The goal in this case is to limit the impact someone can have on critical business system by gaining access to a workstation.
posted by goingonit at 10:57 PM on December 6, 2021 [1 favorite]
If you do this right, this reduces the attack surface drastically -- pretty much what you're left with is unpatched web server or web application bugs, and ideally the attacker is confined to that one server because the firewall isolates them from other applications too. In this case, unpatched OS bugs are an unlikely source of initial entry, but more likely would be used for privilege escalation once an attacker is in.
As others are saying, though, workstations are a different story because people use them for lots of different stuff, and no firewall can be restrictive enough to block a lot of threats while still letting people use their computers. Which brings me to another very important thing you can do if you're running servers, which is to put them as far away from your workstations as possible! Ideally on a different physical network with a firewall between them, and hopefully requiring users to regularly enter strong credentials (password + 2FA) to get from one to the other. The goal in this case is to limit the impact someone can have on critical business system by gaining access to a workstation.
posted by goingonit at 10:57 PM on December 6, 2021 [1 favorite]
Best answer: Imagine your firewall as the guarded wall around a fortress, and it's trying to keep out not only attackers but also spies and people with diseases.
What you would want is to allow only very specific traffic into the fortress and you'd want all the buildings to be brand new, secure and staffed with highly trained, disciplined and loyal people. That'd be a network that has a well-configured firewall / perimeter and only modern, updated OSes and applications inside.
But what you describe is some of that and some "other." So, as a matter of running the fortress, you have to allow some incoming and outgoing traffic. But people inside the fortress can also invite guests, perhaps unwanted or diseased or malicious ones.
Many of your buildings inside the fortress are new, but some are older and made of very burnable wood and have easily pickable locks.
Some of your people are vaccinated against all the things they can be, and some aren't. Some are immunocompromised and can't be vaccinated or vaccines aren't effective for them.
Some of your people are smart and security savvy, some are easy to fool, and some are careless or even malicious and leave buildings unlocked or important items unguarded.
All it takes is one diseased traveler to get inside the gates to start spreading a disease. Or one attacker with a torch to burn some of the buildings, or one spy to infiltrate the inside and start setting up a ring of spies inside the gates.
In short: a firewall is just part of a healthy security diet. Could you, in theory, run an older OS without issue if it were sufficiently walled off and unable to connect to the Internet? Possibly. I've seen clients try this. It's a very, very bad idea.
Modern attacks are a mixture of approaches, only some of which involve an attacker hammering at the outside of your network trying to get in via a firewall or the most outward accessible network connections.
For example, when you're talking about databases - if an application accepts input there's a chance an attacker can own the application and then the system by exploiting a flaw in the database. Once they have a foothold there they can expand outward. Having an outdated OS / database is a flaw in the armor.
posted by jzb at 5:35 AM on December 7, 2021 [1 favorite]
What you would want is to allow only very specific traffic into the fortress and you'd want all the buildings to be brand new, secure and staffed with highly trained, disciplined and loyal people. That'd be a network that has a well-configured firewall / perimeter and only modern, updated OSes and applications inside.
But what you describe is some of that and some "other." So, as a matter of running the fortress, you have to allow some incoming and outgoing traffic. But people inside the fortress can also invite guests, perhaps unwanted or diseased or malicious ones.
Many of your buildings inside the fortress are new, but some are older and made of very burnable wood and have easily pickable locks.
Some of your people are vaccinated against all the things they can be, and some aren't. Some are immunocompromised and can't be vaccinated or vaccines aren't effective for them.
Some of your people are smart and security savvy, some are easy to fool, and some are careless or even malicious and leave buildings unlocked or important items unguarded.
All it takes is one diseased traveler to get inside the gates to start spreading a disease. Or one attacker with a torch to burn some of the buildings, or one spy to infiltrate the inside and start setting up a ring of spies inside the gates.
In short: a firewall is just part of a healthy security diet. Could you, in theory, run an older OS without issue if it were sufficiently walled off and unable to connect to the Internet? Possibly. I've seen clients try this. It's a very, very bad idea.
Modern attacks are a mixture of approaches, only some of which involve an attacker hammering at the outside of your network trying to get in via a firewall or the most outward accessible network connections.
For example, when you're talking about databases - if an application accepts input there's a chance an attacker can own the application and then the system by exploiting a flaw in the database. Once they have a foothold there they can expand outward. Having an outdated OS / database is a flaw in the armor.
posted by jzb at 5:35 AM on December 7, 2021 [1 favorite]
The best defense is still a multi-layered defense by reducing attack surfaces at all levels, not just the outside-facing one. Firewall is an outside-facing attack surface for the Internet, but hardly the only attack surface. Social engineering, email malware, malicious flash drive drop/swap, spearphishing, and more have the potential of penetrating the firewall... or bypass it completely. A truly malicious actor with physical access can install a tap in a network closet or behind a desk where it will sit unnoticed, bypassing the firewall completely.
I recall reading about an incident where someone connected an old console, to a corporate or school network. It was reprogrammed to bypass some sort of restriction to external access.
Also, a firewall is a rules-based packet blocker. It's not a smart device like network intrusion detection system (NIDS) which costs exponentially more as it is capable of alerting staff, and within limits, initiate some automated responses.
TL;DR -- firewall is only one part of a comprehensive SIEM framework.
posted by kschang at 10:47 AM on December 7, 2021
I recall reading about an incident where someone connected an old console, to a corporate or school network. It was reprogrammed to bypass some sort of restriction to external access.
Also, a firewall is a rules-based packet blocker. It's not a smart device like network intrusion detection system (NIDS) which costs exponentially more as it is capable of alerting staff, and within limits, initiate some automated responses.
TL;DR -- firewall is only one part of a comprehensive SIEM framework.
posted by kschang at 10:47 AM on December 7, 2021
« Older Excel help - auto-generating table rows from... | speech recognition engine with adjustable... Newer »
This thread is closed to new comments.
The general assumption about old OSes is that they have known flaws that newer versions have fixed (eg MacOS 12.x is worse than 12.y because we may have discovered a security flaw and patched it), they're worse supported or unsupported (e.g. running windows 2000 is a bad idea because even if security holes are discovered they're out of support and you won't get fixes for them). So:
First, the OSes behind your firewall might reach through that firewall to do thing like fetch websites. Older OSes with no further security patching may have open and unfixable security vulnerabilities that can be exploited by the data they fetch. If there are inbound openings to let specific connections in to that older machine (for instance, it's a web server or fileserver), same thing.
Second, a single machine behind a perfect firewall should be safe from network attack from the outside network, give or take. Of course, we assume things like 'no one can craft a request to some other machine that will send a request to the older machine that will somehow break it'. That's harder, but it's not impossible. If your older box is on the network at all, it's there because someone wants to talk to it...
Third, if you have more than one box behind the firewall then those boxes typically have unfettered access to each other via the network. That isn't to say they can all log in to each other, but they can usually send traffic to each other. If your older box has a network vulnerability and you have malicious code on some other machine in your network behind your firewall, the old box can be attacked by that code.
This skips out on other important questions like whether you have perfect trust in everyone who has access to you network, as if you have a bad actor in your company staff, for instance, they may have reason to crack one of you old machines - but firewalls are typically not there to prevent that, so that might be out of scope.
posted by How much is that froggie in the window at 4:07 PM on December 6, 2021 [1 favorite]