Firewall-based Ransomware Protection

Small and middle size companies IT Security is often neglected until it is too late and there is a breach. Quite similar to human health and our behavior towards the viruses. A properly configured and placed next generation firewall can detect and prevent ransomware from either entering or your data leaving your organization network.

Only a next generation firewall will help, as it inspects your traffic in real time and identifies threats, breaches and unnatural activity. It checks every file passing through if it was already identified as a threat somewhere else, and blocks it before it gets into your network.

Sounds simple?

Even if the file is transferred via encrypted sessions like SSL/TLS, a properly configured and regularly updated NGFW will decrypt the traffic and check it for signatures, hashes and malicious code.

Big companies, who take network security seriously have already utilized the power of NGFW, but until recent times is involved costly on-premise equipment and in-house specialists. Since then many hackers diretcted their attacks to less protected victims.

We, at AFS make enterprize level network security available to small and middle sized businesses.

Whats the difference between ransomware, malware and a virus?

Ransomware differenceMost viruses are designed to steal sensitive data or provide hackers control over victim’s devices.

Ransomware is a type of a virus, which once penetrated the system encrypts your data and keeps it locked until you pay a ransom.

Can a firewall block ransomware attacks?

A properly configured and placed next generation firewall inspects all traffic coming to your organization and stop will potential incoming malware. It can also inspect outgoing traffic and block  commands, used for sending out the key for the encryption.

How does a firewall detect and block ransomware?

NGFW inspects your traffic in both directions – upload and download.

Here is how it detects ransomware in incoming traffic:

  • Source check – compare the source to a list of  known malicious websites, servers and e-mails.
  •  IP/URL reputation security intelligence feed protects against known hacker’s IP addresses and domains.
  • Encrypted Traffic decryption – SSL decryption policy helps the NGFW decide which traffic to decrypt on firewall level.
  • Anti malware functionality – Anti-malware features recognize files and compare them to a data set of file fingerprints.

The outgoing traffic inspection is usually limited to controlling the types of traffic and locations it is being sent to.

What is the difference between legacy and next-gen firewalls?

FirewallLegacy firewalls are not capable of SSL decryption, IP reputation filtering, URL filtering by category, nor are enabled to compare file fingerprints.

This makes them blind to ransomware.

Can cloud data be subject to ransomware?

No matter the providers, the cloud is just a replica of your physical infrastructure, but in someone else’s datacenter.

It doesn’t matter if you have a cloud server, a virtual server or an on-premise server, the moment a ransomware runs on it, it is done.

Which firewall vendors provide the best ransomware protection?

Cisco Firepower, Palo Alto Networks, Fortinet, and Check Point, are all mature solutions and have advanced anti-malware features.

Ransomware protection is amongst their advanced options, and needs to be properly configured to work.

What are firewall best practices to block ransomware?

In short – configuration, rules, decryption.

  • Do not allow not inspected traffic through.
  • Reduce the attack surface.
  • Block unknown files unless they enter from a very trusted party. Keep log on this for retrospective analysis.
  • Decrypt all traffic in order to detect files and specifically malware, including ransomware.

How to test your firewall if it’s vulnerable to ransomware?

Penetration testingThe original virus files are not needed. You may enforce your NGFW to trigger alerts detecting any types of files. We can take a random source and download a file. Enter this file’s hash in the blocked entries and try to download again. If the firewall now is able to recognize this file and eventually alarms or drops and alarms, then your environment is fine to detect malware too. Be specific in enabling the firewalls to enter their cloud fingerprint providers.

How to stop ransomware with a NGFW ?

  1. Enable its malware protection capabilities
  2. Decrypt the traffic and don’t let some none analysed traffic through
  3. Double check if the NGFW can access its hash collection cloud (update servers)
  4. And always be careful what you download. Might require internal staff training
  5. Keep your staff aware of the security risks. Educate your staff
  6. Always make backups. Nobody is bullet proof. Make sure you can recover your organization’s most valuable assets in case of a breach. Check regularly the quality of the backups.
  7. Having a NGFW in place is not enough. You need to do regular tests and tuning on it. For that you need professionals with enough expertise.

Let us perform a quick check if your NGFW setup is protected against ransomware – contact AFS today!