Blog / The Importance of IP Address Restrictions
It probably comes as no surprise that Russia is currently on pretty much everyone’s cyber security radar. There are bot nets and hacking originating from (and targeted at) Russia like you wouldn’t believe right now. Well, maybe you would considering what Russia’s getting up to these days, but the thing is this has been going on for a while.
I routinely perform cyber security assessments. Sometimes they’re simple one-offs and of course they’re a regular part of service for subscribing customers. Part of these assessments is a thorough evaluation of firewall configuration, including how permissions are setup, what features are enabled, etc.
One major component of the assessment is how outside access is setup and allowed. This means looking at any VPNs that may be setup, how RSP is setup, and other important issues. It’s pretty common to run into a situation where remote access is setup to an internal resource (like an RDP server) and the firewall policy is setup to allow all external IPs to connect, the assumption being that user authentication will keep out anyone who’s unauthorized.
This is terrible approach to take because you are relying on a single point of failure to protect you. If the authentication is somehow bypassed or compromised, it’s all over. Some organizations invest in multifactor authentication (MFA) and call it a day. The thing is, while implementing MFA is an improvement, it still leaves you relying on a single defense (user authentication).
So what does all of this have to do with Russia?
Towards the end of summer last year I was performing a fairly routine security audit and I discovered something bizarre; Russian IPs were banging away trying to log into a customer’s RDP server. Outside access to a machine had been setup and nobody had stopped to ask if the resource should be accessible to the entire internet. Needless to say we immediately sounded the alarm and restricted the client’s access policy. Since then every time I’ve found a firewall configured that allows the general internet access to an internal resource, I’ve found Russian IPs trying to get in (they have a real thing for RDP servers). Before then what I’d see on firewalls at organizations with an open policy had been fairly random on what I’d see with an open policy.
It doesn’t stop there. Recently Watchguard released a patch for their firewalls because of a Russian botnet that could completely take over a Watchguard remotely. All it needed was to be able to access the one of the login pages to the firewall. Thankfully the default configuration we use at TRINUS locks access to the management portal for our corporate IP addresses. We do that because if we are managing the firewall then not only should we be the only ones with the username and passwords but we should also be the only ones who can connect at all.
And herein lies the point I hope to make today; there’s no reason to even show a login page to anyone else. A simple IP restriction was able to completely shutdown a botnet powerful enough it could takeover any Watchguard it wanted. Simply put, if there’s no reason to allow everyone on earth to connect to an internal resource from the outside, don’t allow it!
Cyber security is an incredibly complex topic and no one expects executives to understand all of it. Nevertheless, sometimes things like leaving a hole in a firewall open to the entire internet can drive a guy to drink. Apropos of that, this weeks’ Shakespearean quote comes from Henry V, Act3 scene 2: “I would give all of my fame for a pot of ale and safety.” I guess even Shakespeare understood we can all use a stiff drink from time to time.
If you’d like help securing your firewall against hackers of all stripes (Russians included), contact your TRINUS account manager today. After all, stress-free IT means your IT should never leave you seeing red.
Be kind, courtesy your friendly neighbourhood cyber-man.
