By Inhel Rekik
There are three networks in your organization (border network, perimeter network and internal network). The transition from one network to another is done through a network firewall. A firewall is a network security tool that controls network traffic based on a predetermined security rules. There are several generations of network firewalls.
First generation is called the packet filter. Packets can be filtered by source and destination IP, protocols, source and destination port numbers. If the packets don’t meet the set criteria they are not allowed to pass. Second generation firewalls on the other hand operate up to layer 4 (transport layer of OSI model). This is achieved by retaining information until more information is available about the packet. This type of firewall can be susceptible to DOS attacks that bombard the firewall with several packets until saturation. The most recent category is the next generation firewall which offers a deeper inspection of packets at the application layer. It includes intrusion prevention systems, user identity management integration by linking user ID to Mac addresses for reputation as well as web application firewall.
The next category of firewalls is the host-based software-based firewall which is installed on the machine itself and controls the network traffic in and out if. A host-based firewall can be part of the operating system itself such as a Microsoft firewall that comes with a Windows-based operating system. Some security products like anti-malware or Host Intrusion Detection/Prevention Systems (HIDS/HIPS) may also come with an integrated firewall. If you have a medical device that provides an operating system or security software provided firewall, make sure you turn it on. This will add an additional layer of security on the device level.
The border network is a network that faces the Internet directly via a router that provides a first layer of protection. This network feeds data to the perimeter network via a perimeter firewall.
The perimeter network called the DMZ, or demilitarized zone (network), is a subnetwork that contains and exposes an organization’s external-facing services also called Internet-facing systems to an untrusted network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s network. Typically, the servers in the DMZ are “sandwiched” between the external-facing firewall and an internal-facing firewall that provides additional protection for the internal network.
External-facing systems are internal systems accessible from the Internet such as cameras used by physicians to watch cases or monitor patients. HDOs typically use two-factor authentication to secure these systems and encrypted or VPN’d traffic to protect the integrity of the data stream. Any mobile device used to access these Internet-facing systems should be done through a mobile device management system called a MDM. These systems can require the device to be password protected, set the password complexity, add lock and wipes rules.
The DMZ feeds data to the internal local area network (LAN) via the internal firewall. Devices placed in the internal network are not reachable from the Internet which prevents hackers from accessing internal systems from outside of the organization.
A current practice in medical device security is to put medical devices that can’t accommodate certain security controls, e.g. regular patching and antimalware behind a network firewall and only allow the needed communication.
Network firewalls provide reasonable protection against external attacks but they don’t protect against attacks that happen internally such as malware induced by an infected USB. It’s important to run an antimalware scan on the USB before you plug it into your medical equipment. For the devices that have antimalware on them, you can disable the USB auto run. Disabling USB autorun will allow you to scan the USB before opening it and prevent infection.
Firewalls go hand and hand with micro-segmentation. For instance, a medical device with high-risk profile can be placed in individual segments that are protected behind a firewall for an additional layer of protection. This can help prevent the internal attack from spreading to other segments.
Finally, secure web gateways complement a firewall. They are used to prevent malicious web traffic from entering the organization. This protects the organization against threats originated from the Internet.
Every savvy HTM professional should understand:
- The difference between border network, DMZ and Local Area Network (LAN)
- The difference between network firewall and a host-based firewall
- Microsegmentation versus VLAN
- Secure web gateways
Inhel Rekik is director of health technology security at MedStar Health.