I mentioned in a previous article that we are using a "loaner" Palo Alto Networks firewall, with all the bells and whistles. Our testing led to all sorts of interesting discoveries, and I certainly hope that the executive staff will agree that the increased visibility makes this sort of new-generation firewall well worth the investment.
Not wanting to disrupt business operations, I tested the device on a SPAN port that monitors traffic in and out of our network and in between. When I say "in between" I'm referring to a SPAN port that monitors traffic between the corporate network and our data center. That placement gave us visibility into attacks originating internally against our internal data center resources. (If we decide to purchase the PAN firewall or something similar, we'll move it in-line and replace our current firewall.)
Lacking a 24/7 security operations center (someday maybe?), I set up the firewall to forward email alerts for events that I think are indicative of compromise. One thing I was very interested in was detecting threats against our source code repository, which I consider one of the five most critical assets in our organization. Sure enough, earlier this week I received an alert that an SSH brute-force attack against the server containing our source code had been detected. This alert triggers when more than 20 login attempts are made within 60 seconds.
We tracked down the source of this attack and learned that it wasn't really an attack at all. Rather, one of our software engineers had recently changed his Windows domain password, which is used to log into our source code repository, but never changed some scripts he had in PhpStorm, a utility to edit PHP code. One script kept trying to log into the repository with his previous credentials, which of course didn't work, and the multiple attempts appeared to be a brute-force attempt from his PC. Although this was a false positive, I'd still prefer to know when this sort of thing is happening. And it seems clear that if we do get hit with a real brute-force attack, the firewall will let us know about it.
I also like that the firewall can easily detect BitTorrent traffic, which carries all sorts of security and legal problems but is also a prodigious consumer of bandwidth. We got a ping about this as well, and once again we traced the problem to a software engineer's PC. He swore he wasn't using BitTorrent, but a review of his PC turned up an installation of Popcorn Time, which is an open-source BitTorrent client that serves as a cost-free alternative to services such as Netflix. The engineer likes to stream movies during late-night product releases. He just hadn't thought of it as BitTorrent. After I recited our objections to such software, he promised to stop using Popcorn Time. Then I figured that if a software engineer could make that mistake, I should do a little companywide education. I will include a warning in my next quarterly security awareness email to remind employees of the policy against using apps such as Torrents, remote control software such as LogMeIn and hacking software, which I've also received alerts about, when someone downloaded Nessus and decided to scan our data center.
Sign up for Computerworld eNewsletters.