Plugin spotlight: Firewall Configuration Analyzer

18 Sep 2023

Introduction to OTORIO Plugins


OTORIO’s OT Cyber Risk Management platform utilizes a dynamic plugin system to address the key challenges of security converged OT networks. This core technological differentiator allows the platform to adapt to the unique requirements of each environment without significant customization efforts.

The plugin system turns OTORIO’s platform into the only OT solution that is flexible enough to integrate natively with various IT, OT, and security systems. Instead of having to release full system updates, plugins can be downloaded from OTORIO’s marketplace individually.

This is the first blog of many to come, highlighting the power of OTORIO’s plugin system, one plugin at a time. And this time - the Firewall Configuration Analyzer.

 

OTORIO RAM integrations

 

Firewall Configuration Analyzer Plugin

Firewall is a core building block of a network’s infrastructure and security.

As protecting each individual asset is commonly a challenge in OT networks (due to patching and installing third-party applications on critical assets), Network Segmentation is an effective mitigation strategy for many of the critical attack vectors in the network. Hence, proper implementation of network segmentation via proper firewall configuration becomes a sensitive subject that requires close attention. This is where the Firewall Configuration Analyzer comes in - it ensures that the firewall configuration is intact and will suggest flaw fixes where needed.

What’s the value of it? 

Once a firewall configuration is reviewed by the Firewall Configuration Analyze plugin, the user receives alerts about:

  • Segmentation issues - such as unsecured OT to IT/Internet connectivity,
  • Configurable Security controls - such as DOS protection enabled or rules logging
  • Security controls of the firewall itself - such as insecure integrations or weak authentication.

 

Unauthorized OT internet communication

Image 1: Security control configuration issue 

 

OTORIO firewall policy plugin

Image 2: Potential segmentation issues

OTORIO password complexity policy

Image 3: Security misconfigurations of the firewall itself

 

Firewall Configuration Analyzer alerts provide a clear mitigation indicating the rule and the specific firewall to address. This recommendation can be taken to the IT/networking team to further analyze and determine whether these rules and configurations are critical for the normal operation of the network or whether changes can be made in order to harden and improve the security posture.

 

How does the Firewall Configuration Analyzer work? 

The Firewall Configuration Analyzer can operate as a one-time assessment (also offline) using a configuration export or as ongoing (online) monitoring of segmentation issues in the network using firewalls APIs.

Either way, the plugin ingests a firewall configuration, parses it, and adds new alerts to the management platform.

 

OTORIO RAM² firewall configuration

Image 4: Firewall Configuration Analyzer alerts

 

Due to the plugin’s flexible engine, it can be used in multiple scenarios: 

 

Scenario Method to ingest data

Offline assessment - Offline spOT assessment

Manual export of firewall policy using the user interface / firewall-specific tools

Online assessment - spOT assessment

Either manual policy ingestion or API integration with supported appliances

Ongoing monitoring - RAM2 

Periodic, automated API-based policy ingestion, optional manual ingestions are also available 

 

OTORIO has built a comprehensive, step by step playbook which enables security practitioners to export configuration from various firewall vendors and ensures the safest and most reliable process to follow in order to get maximum insights from the plugin.

The full list of supported firewalls is valid to the date this article was written. There are various versions supported in each firewall - Cisco (ASA, FTD, Meraki), Checkpoint, Hirschmann, Fortinet, Juniper, mGuard, Palo Alto (inc. Panorama exports), SonicWall and Sophos.

 

 

plugin’s configuration interface (RAM’s edge device)

Image 5: Plugin configuration interface (RAM²’s edge device)


Enriching OTORIO’s Cyber Digital Twin

The plugin offers a comprehensive approach by not only generating alerts based on its configuration, but also integrating segmentation and networking information into the Central Management's Cyber Digital Twin.

This integration empowers advanced analysis engines such as the Attack Graph Analysis, which provides practical action items to effectively mitigate risk from realistic attack scenarios. These include potential attacks from internet-connected devices to OT devices or network propagation between different processes or areas.

 

OTOTIO cyber digital twin

Image 6: Identifying non-restricted process communication

 

Moreover, the Attack Graph Analysis effectively identifies and highlights vulnerabilities and security gaps that attackers can exploit. This capability reduces the effort required to address issues that are less likely to be exploited, allowing for a more focused and efficient mitigation approach.

 

mitigation approach steps

Image 7: Example of an attack vector

 

Amazing! Can I try it?

Obviously, as the plugin also supports an offline spOT assessment, the value can be shown without a deployment in the customer’s network. Want to give it a try?


Want to explore & discuss it more? Reach out to me directly at [email protected].

 

 

 

 

 

 

 

Most Popular Posts
11 Jan 2022 A House of Cards: Shoring Up the OT Digital more...
02 Mar 2021 OTORIO’s Pen-Testers discovered more than 20 vulnerabilities in a popular Industrial Remote Access Solution more...
10 Feb 2021 Florida’s Water Poisoned by Hackers: A Warning Signal more...