News about viruses and ransomware seems to be a daily occurrence. In some cases systems are breached because of direct attacks on the system or through other means such as via email attachments or files on a USB flash drive. Typically these use a worm or bot to subvert other computers on the network by taking advantage of security holes.
Firewalls on a device such as a PC can help prevent this spread by limiting access to a device. The challenge is that some systems do not have a firewall or there are issues that prevent a device from having sufficient protection. For example, legacy systems in application areas such as medical devices may be implemented on older operating systems that cannot be upgraded due to certification or compliance reasons.
This is where an external firewall/security device may provide protection to a legacy device. This is normally done by putting the external firewall between the legacy device and the local area network (LAN).
Icon Labs’ Floodgate Defender is an example of an external firewall. It has a pair of Ethernet connections. One connects to the legacy device. The other is connected to the LAN. The Floodgate Defender’s microcontroller runs Icon Labs’ software to provide firewall services.
Icon Labs’ Floodgate Defender sits between a device like a PC and the network.
The advantage of an external device is twofold. First, it can be updated independent of the legacy device. Second, it operates independent of the legacy device. If the legacy device is compromised it is still possible for the external device to detect and prevent the compromised device from spreading its nefarious software to other devices on the network or communicating with applications on the internet.
The Floodgate Defender uses a security coprocessor from Maxim Integrated Products. It provides secure key storage and a cryptographic accelerator that are often lacking in legacy systems. This improves the resistance of encryption functions on the external firewall and enables secure boot for the external firewall.
In theory, host-based firewalls can limit communication to and from applications on the device with other systems connected to the network. Unfortunately if the host is compromised then the firewall can be disabled or bypassed. Likewise, the host typically has complete access to the network so a subverted system can connect to other devices on the network and the internet, assuming there is a gateway to the internet.
An external firewall can do the same thing as a host-based firewall but compromising the host will not do the same to the external firewall. A properly configured external firewall can limit the connections available to a host to a significant subset of possible network connections. For example, an X-ray machine may send scans to a file server. It may also have a web server for remote configuration. The external firewall can allow only these two connections and it can limit the IP addresses of the devices at the other end of the connection. This protects the device from subversive systems on the LAN as well as limiting any attacks if the host becomes compromised.
This approach works very well for embedded applications where the host devices are well defined and the connections they should be making are limited. Systems that have more open connections like a web browser are more of a challenge because they typically need unlimited connectivity but even these may be controlled by an external firewall.
Individual devices like Floodgate Defender work well when there are a limited number of devices or where physical isolation is preferred. Floodgate Defender does not have to be located next to the device it protects, but that is typically the case. The alternative would be to place the external firewall near the switch that the legacy device is connected to.
“A large portion of our critical infrastructure is controlled by legacy devices that were originally designed for use on closed networks and therefore contain little or no security. Even though they perform critical functions managing our power grid, factories, communication networks, and hospitals, most are easy targets for cyber-criminals and cyber-terrorism,” says Alan Grau, president of Icon Labs. “Many of these devices cannot be updated to include security, and replacing them with new secure versions will take years.”
Another approach is to combine the external firewall support with a network switch. The legacy device connection to a switch is replaced with a connection to the firewall device.
Watchguard is one company that provides a range of switch oriented firewall devices like the Firebox M440 (Fig. 2) that provides protection on a per port basis. It looks and operates like an Ethernet switch except that packets first pass through a firewall for each port before moving to the switch. This particular device has 25 gigabit Ethernet ports of which 8 provide power-over-Ethernet (PoE) support. There are two 10 Gbit/s ports as well.
Watchguard’s Firebox M440 has 25 gigabit ports, 8 with PoE support, and a pair of 10 Gbit/s ports.
A switch-based solution can be more cost-efficient compared to individual devices. Management may be easier but in general external firewall devices of either sort are designed for large scale deployment and management.
Individual or switch-based external firewalls have been available for quite some time and it is a wonder that they are not used in critical infrastructure applications such as hospitals where legacy systems often have security support that is limited. The reason is typically cost but this is actually trivial compared to having an entire network compromised just once. Most systems can be installed quickly and even configured after installation.
Network security is not always easy to implement and manage but there is no reason that proper protection cannot be brought to bear, even with legacy devices.