Firewalls on High Availability(HA) : Benefits and Challenges
Customers usually choose to go for two firewalls in high availability (HA) mode for several reasons, including:
- Redundancy: The primary reason for configuring two firewalls in high availability mode is to ensure redundancy. If one firewall fails, the other firewall takes over seamlessly, ensuring continuous protection for the network.
- Business continuity: High-availability firewalls are essential for businesses that require uninterrupted access to their applications and data. By having two firewalls in high availability mode, businesses can ensure that their network is always protected and that they can continue to operate even if one of the firewalls fails.
- Load balancing: Some customers also use two firewalls in high availability mode to balance the traffic load between them. This can be useful in situations where one firewall may be under heavy load due to a large amount of traffic, ensuring that the network is not overwhelmed.
- Security: High availability firewalls can also enhance the overall security posture of an organization. By having two firewalls, customers can implement different security policies on each firewall and ensure that their network is protected from various threats.
- Compliance: Certain regulatory requirements, such as those set forth by the Payment Card Industry Data Security Standard (PCI DSS), mandate the use of high-availability firewalls as a security control to protect cardholder data. Customers may choose to implement high-availability firewalls to comply with such requirements.
Configuring firewalls for high availability (HA) involves setting up redundant firewall devices to ensure continuous protection and access control in the event of a failure. Here are some steps, in general, to configure firewalls for high availability:
- Choose the appropriate firewall devices: Select two or more identical firewall devices that support high availability configuration.
- Configure basic settings: Configure the basic settings on each firewall device, including hostname, IP address, and network interfaces. Ensure that each firewall device is connected to the same LAN segment.
- Configure HA settings: Configure HA settings such as heartbeat interfaces, failover settings, and synchronization settings. The heartbeat interface is used to detect the health status of the other firewall device. Failover settings determine how the devices switch roles in the event of a failure, and synchronization settings ensure that the configuration data is identical on both devices.
- Test the failover process: Test the failover process by simulating a failure on the active firewall device. Verify that the standby firewall device takes over the role of the active firewall device.
- Configure the firewall rules: Configure the firewall rules on both devices to allow the desired traffic to pass through. Ensure that the rules are synchronized between both devices.
- Monitor the devices: Monitor the firewall devices and ensure that both devices are functioning correctly.
However, the above steps may vary depending on the firewall devices & the makes being used, and the configuration requirements. It is always best to consult the manufacturer’s documentation for detailed instructions on configuring firewalls for high availability. But Before configuring firewalls for high availability (HA), it is crucial to ensure that certain prerequisites as mentioned below are in place.
- Hardware requirements: Check the hardware requirements of the firewall devices to ensure they are suitable for high availability configuration. The hardware should be able to handle the expected traffic load and have the necessary interfaces and storage for the configuration and log data.
- Network infrastructure: Ensure that the network infrastructure is configured correctly to support high availability. The firewall devices should be connected to the same LAN segment and have a dedicated heartbeat interface for the failover mechanism.
- Firewall software: Check that the firmware or software on the firewall devices is compatible with the high availability configuration. Upgrade the firmware or software if necessary.
- IP addressing: Ensure that each firewall device has a unique IP address and that the IP addresses of the interfaces on each device are on the same subnet. It is also important to ensure that the default gateway is correctly set up.
- Firewall rules: Ensure that the firewall rules are configured correctly and tested before configuring high availability. This helps to ensure that the firewall rules will be synchronized correctly between the devices.
- Documentation: Ensure that you have the necessary documentation, such as the manufacturer’s guide, to guide you through the process of configuring high availability for your specific firewall devices.
It’s highly recommended that you have 2 Switches also while we configure 2 Firewall alliances on HA in order to prevent a single point of failure scenario since if one switch fails, the other switch can continue to provide connectivity to the firewall devices which ensures that there is no disruption to network traffic and that the firewall devices can continue to function even if one switch fails.
Here are a few steps to follow but it’s also important to consult the manufacturer’s documentation for specific instructions on configuring high availability for your particular switch model.
- Two switches: Two switches are required for redundancy, and they should be identical in model and configuration to ensure seamless failover.
- Power supply units (PSUs): Each switch should have dual power supplies for redundancy, and each power supply should be connected to an independent power source.
- Network cables: You will need Ethernet cables to connect the switches to the firewall devices and other network devices.
- Spanning Tree Protocol (STP): STP is a protocol used to prevent loops in network topology, and it should be enabled on both switches.
- Link aggregation (LAG): LAG, also known as port-channeling or NIC teaming, is used to combine multiple physical links into a single logical link to increase bandwidth and provide redundancy. LAG should be configured between the two switches to ensure redundancy.
- IP addressing: Each switch should be assigned a unique IP address on the management network, and the switches should be configured to communicate with each other using the same management network.
- Management Software: The management software for the switches should be installed and configured for high availability.
- Testing plan: A testing plan should be developed to verify the failover mechanism and ensure that the redundancy configuration is working as intended.
Now let’s look at two commonly used modes of HA:- “Active-Active” and “Active-Passive”, the differences between the two scenarios are as mentioned below:
- Active-Active HA: In an active/active HA configuration, both firewalls are actively processing traffic at the same time. Traffic is distributed between the firewalls in a load-balancing fashion, and both firewalls are processing traffic simultaneously. This mode can help increase network throughput and improve performance, especially in scenarios where one firewall may be overwhelmed with traffic.
- Active-Passive HA: In an active/passive HA configuration, one firewall is active, processing traffic and handling network requests, while the other firewall is in standby mode, ready to take over if the active firewall fails. This mode provides a higher level of redundancy, as there is always a backup device ready to take over in case of a failure.
In summary, active-/active HA allows both firewalls to actively process traffic simultaneously, while active-passive HA provides redundancy with one active firewall processing traffic and the other standby in case of failure. The configuration of both modes is quite different and it is essential to ensure that the configuration is done correctly to avoid issues such as traffic imbalance or failover failures. Firewall vendors often provide guidance and documentation on how to set up high availability for their devices, and it is recommended to follow these guidelines closely.
Implementing high availability (HA) for firewalls can provide significant benefits in terms of network uptime, reliability, and redundancy. However, there are also several challenges that organizations may face when implementing HA for their firewall infrastructure. Some of these challenges include:
- Increased Complexity: Implementing HA for firewalls can add complexity to the network infrastructure. This is because HA typically involves the configuration of multiple devices and protocols, and may require changes to network topology, addressing, and routing.
- Cost: HA typically requires the purchase of additional hardware and licenses, which can add to the overall cost of the firewall infrastructure.
- Configuration Management: Maintaining consistent configurations across multiple firewall devices can be challenging. Changes made to one firewall must be replicated to all other devices to ensure consistency, and this can be time-consuming and error-prone.
- Testing and Maintenance: HA requires regular testing and maintenance to ensure that failover and other processes are functioning correctly. This can be time-consuming and may require additional resources to manage.
- Risk of Configuration Errors: If not configured correctly, HA can introduce new points of failure into the network infrastructure. Configuration errors can cause traffic imbalances, failover failures, and other issues that can impact network uptime and performance.
- Impact on Performance: HA can impact network performance, especially in active/active mode. The load-balancing process can introduce latency and slow down traffic, especially in scenarios where one firewall is overwhelmed with traffic.
Therefore Organizations should carefully consider the costs and complexity of HA, and ensure that they have the resources and expertise to manage and maintain the HA configuration properly. Additionally, regular testing and maintenance should be performed to identify and resolve any issues that may arise.
The Rise of Ransomware: Take a peek into AIIMS Cyber Attack, and how organizations should proactively counter such attacks?
Before understanding the countermeasures, let’s understand the sequence of events pertaining to the Cyber Attacks on All India Institute of Medical Sciences (AIIMS), a premier public medical research institution and a hospital based in New Delhi.
The cyber-attack on AIIMS was reported on 23rd November 2022, this lasted for more than 15 days & only by 6th December 2022,that the hospital was restored to normal, AIIMS confirmed that the trial runs of the e-Hospital server were successful, and most of the lost data had been retrieved. As a result of the incident, several patient care services, including registration, admission, billing, and discharge, appointment systems were inaccessible. Even the ‘e-Hospital,’ application system of the National Informatics Centre (NIC) was impacted by this incident & the hospital’s operations had to run manually to meet the immediate demands.
This ransomware attack could have corrupted huge data and medical records, including Personally Identifiable Information (PII) of patients and healthcare workers, and administrative records kept on blood donors, ambulances, vaccination, caregivers, employee login credentials, sensitive data, and medical records of VIPs. This kind of data is usually sold on the dark web by hackers.
The extent of the attack was so intense that multiple agencies like Delhi Police, the Centre’s Computer Emergency Response Team (CERT), the Ministry of Home Affairs, the Forensic Science Laboratory (FSL), and even the National Investigation Agency (NIA) sprang into action & the findings as reported by various media sources are as below
- IP addresses of two emails, which were identified from the headers of files that were encrypted by the hackers, originated from Hong Kong and China’s Henan province
- The hackers had two Protonmail addresses – “dog2398” and “mouse63209”.
- The targeted servers were infected with three ransomware: Wammacry, Mimikatz, and Trojan.
More could be revealed in times to come, but organizations must take the following steps to proactively prepare against cyber-attacks:
- Develop a comprehensive cybersecurity policy: A comprehensive cybersecurity policy should outline the organization’s approach to cybersecurity, including the roles and responsibilities of employees, the procedures for responding to security incidents, and the procedures for conducting security assessments. The policy should also include guidelines for protecting sensitive information, such as customer data and intellectual property, and for ensuring the security of the organization’s IT infrastructure.
- Conduct regular security assessments: Regular security assessments can help organizations identify potential security weaknesses and take steps to address them before they can be exploited by attackers. Assessments can be performed internally, or with the assistance of a third-party security consultant. Some common types of security assessments include penetration testing, vulnerability scanning, and security audits.
- Train employees: Employee awareness and training are crucial in the fight against cyber-attacks. Organizations should educate employees on the importance of cyber security, safe browsing habits, and how to identify and respond to phishing attempts. This can be achieved through regular training sessions, e-learning programs, and simulated phishing exercises.
- Implement multi-factor authentication: Multi-factor authentication (MFA) provides an additional layer of security beyond a simple password, making it more difficult for attackers to gain access to sensitive information. MFA can be implemented for all users, or just for those with access to sensitive information, such as administrators.
- Keep software up-to-date: Regular software updates can help fix security vulnerabilities, so it’s important to keep all software up-to-date to reduce the risk of successful cyber-attacks. This includes not only the operating system and applications, but also security software such as antivirus and firewall applications.
- Use encryption: Encrypting sensitive data can help prevent unauthorized access, even if the data is stolen or intercepted during transit. Organizations should use encryption for sensitive data in transit, such as when transmitting data over the internet, and for sensitive data at rest, such as data stored on servers and end-user devices.
- Backup data regularly: Regular backups can help organizations recover quickly from a cyber-attack or other data loss event. Backups should be stored off-site, or in the cloud, to ensure that they are not affected by a security incident at the primary location.
- Collaborate with other organizations: Sharing threat intelligence and best practices with other organizations can help improve overall security posture and respond more effectively to cyber-attacks. This can be achieved through information sharing initiatives, such as information sharing and analysis centres (ISACs), or through collaboration with industry groups and law enforcement agencies.
- Consider insurance coverage: Organizations may want to consider purchasing cyber insurance coverage to help mitigate the financial impact of a successful cyber-attack. Cyber insurance policies can provide coverage for costs such as incident response, legal fees, and compensation for customers whose data is compromised.
By taking these steps, organizations can proactively prepare against cyber-attacks and reduce the risk of a successful attack. Additionally, in addition to the general cyber security measures, organizations can also implement specific network and data security measures to protect their IT infrastructure and sensitive data. Some of these measures include:
- Firewalls: Firewalls can help protect the organization’s network from unauthorized access by filtering incoming and outgoing traffic based on pre-defined rules. Organizations should consider implementing both perimeter firewalls and host-based firewalls to provide multiple layers of protection. Would highly recommend you to even consider Next-generation firewalls (NGFWs) in place of traditional firewalls as they come with few some limitations in terms of their ability to detect and prevent modern cyber threats.
- Virtual Private Networks (VPNs): VPNs can help secure communications between remote workers and the organization’s network by encrypting data in transit. This can help prevent unauthorized access to sensitive data, such as login credentials and confidential documents.
- Access controls: Access controls can help ensure that only authorized users have access to sensitive data and systems. This can be achieved through the use of user authentication, such as passwords and biometrics, and through the use of role-based access controls, which restrict access to specific systems and data based on an individual’s role within the organization.
- Data Loss Prevention (DLP): DLP solutions can help prevent the accidental or unauthorized release of sensitive information, such as credit card numbers and Social Security numbers. DLP solutions can be implemented through the use of software agents, or through the integration of DLP capabilities into existing security solutions, such as firewalls and email gateways.
- Intrusion Detection and Prevention Systems (IDS/IPS): IDS/IPS solutions can help detect and prevent cyber-attacks by analysing network traffic and identifying suspicious activity. IDS/IPS solutions can be implemented as hardware devices, or as software applications running on servers or end-user devices.
- Endpoint protection: Endpoint protection solutions, such as antivirus and anti-malware software, can help protect end-user devices from cyber-attacks by identifying and blocking malicious software and activities. Organizations should ensure that all end-user devices, including laptops, smartphones, and tablets, are protected by up-to-date endpoint protection software.
- Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions: Unlike a end point security solutions, EDR & XDR solutions can help organizations detect and respond to cyber threats more effectively, and can complement other security measures, such as firewalls, intrusion detection systems, and anti-malware software.
By implementing these network and data security measures, organizations can further strengthen their defence against cyber-attacks and protect sensitive data. It’s important to regularly review and update these measures to ensure that they remain effective in the face of changing cyber security threats.