I have seen some comments of late about the PSN hack being due to Sony having no firewalls in place and out of date Apache instances. A brief amount of research defuncts this assertion, however, I was genuinely surprised at the level and voracity of the comments around it. Most of which related to people essentially “living and dieing” by their firewalls. This position is ludicrous to say the least, as a firewall is but one control, not the be all and end all of security, and in my own personal experience, sometimes, they are simply not up to the task and you need to think outside the box.
So here is the problem……
You are designing/running a global gaming platform that is highly latency sensitive, your planning on having all the worlds gamers use your platform and push it to its limits. If you even drop one packet, you could frag someone in game and cause the most heinous flaming you have ever experienced resulting in lost customers for the company, but, it needs to be secure. What next?
Believe it or not, I have personally been in this scenario during my time at EA. I had to design, build and deploy the EMEA Online Web & Game Platform, as well as co-develop the global gaming platforms for the wider business. What I can share with you is that firewalls, no matter how big/good/expensive they are suffer 2 problems…. 1) They are a bottle neck into your environment that when you scale up to millions of users, is a problem, and 2) they introduce latency by doing their job.
So what are the options? Well on the one hand, you could design around the problem, spend a large amount of cash on the “biggest and best” firewalls money can buy, create smaller firewalled segments and multi-layer your network to cope with the limits of the firewalls perhaps? True, yes you could, but this additional complexity introduces more routing hops and more kit for the packets to flow through, which increases latency & degrades the overall experience for the players. Another option is to not use firewalls…..
So what do you do, when you cant put a firewall in place? easy 🙂 All a firewall is doing is a) controlling the flow of IP using an Access Control List & b) looking at the packet for something malicious in it (please note, I am specifically talking about a basic statefull inspection firewall (L3) and not anything extra in the UTM (L7) space, as these add way too much latency to packets for gaming consideration). Given that the firewall is performing these two simple tasks, all you need to do is replicate them elsewhere. Firstly, all your existing network infrastructure can handle the ACL function, easier and faster, and given the packets are already going through this kit, it doesn’t add any latency to the path. Next, its all about understanding the attack and being vigilant…..
Essentially, if your gonna break into a computer system, you need a few basic components:
- A Threat Agent (Bad guy with motivation, we will call him Fred)
- An Attack Vector (Something Bad he cooked up, like an SQL Injection)
- An Attack Surface (Your infrastructure, applications etc)
- A Vulnerability (Something you missed that matches Fred’s attack)
So, if Fred needs all these things to line up before he can achieve success, its all about making sure that you minimise your attack surface, and keep it vulnerability free.This is going to mean that you design your environment to be simple and easy to manage, and that you have some solid, well executed vulnerability management programmes in place, typically including real time (or near real time) monitoring of services for vulnerabilities, and excellent patching programmes, fully automated. Essentially, you want one system to identify a vulnerability in one of your web services, and tell the other system to patch it. It is possible to do and works well, but your gonna have to clean up the odd system failure, so make sure your system is highly resilient (by definition of the type of environment, it would be anyway). Now, I appreciate that a 0Day is going to pwn you, but guess what, it still would even with the firewall, so don’t get all upset about it, just have your CSIRT ready to go and make sure it is well oiled!
On that subject, this is one of the key controls you should have anyway, but wont. Your ability to respond to an issue, and appropriately deal with it is what people will observe. It doesn’t matter how good you are, how well you have designed something, at some point its all going to hit the fan. The other key control your going to need is monitoring, so you know when you need the CSIRT! You will need to implement full monitoring and alerting for the environment, from availability and security perspectives. You need to know everything, every device is doing at all times, because correlating this information can help you identify attacks in progress before they get anywhere near success. All your kit is already logging issues silently to itself, so your not going to add any extra burden on the environment, and typically, you would create a separate network to handle management traffic to keep it off your primary network anyway, so its not going to impact service delivery.
Also, when your talking about the gaming industry, typically, aside from the usual raft of web services running, your talking about very specific, proprietary services running on random ports to facilitate multi player gaming, so your “Threat Agents” are a limited pool of elite gamers, who’s typical motivation is not to pwn your systems and steal your data, but is usually limited to 1) administrative control of the game so they can kick who they don’t like out, and b) the ability to alter scores and leader board positions!
I would like to finish my brief rant/educational spout on a simple truth, firewalls don’t make you secure, they make you lazy.