The massive “WannaCry” ransomware attack has wreaked havoc across the globe over the last several days, impacting at least 150 countries and targeting banks, hospitals, telecom providers, and government institutions. While the infosec community has a plethora of security best practices to defend against ransomware attacks, let's take a closer look at exactly what Tufin customers need to know and the steps they can take to prevent this – and other similar attacks – in the future.
Check out this video for a demo on how Tufin users can employ the policy browser to find potential exposure and possible paths that WannaCry could worm its way into.
First, some background
The vulnerability the attackers are exploiting is in the SMB component in Windows. Server Message Block (SMB) is a network protocol that provides file and printer sharing services in Windows systems. SMB may be used inside the corporate network for sharing files and printers; however, it should never be allowed beyond the corporate network.
This is so strongly recommended, in fact, that an advisory posted in January 2017 by the United States Computer Emergency Readiness Team (US-CERT) recommends blocking “all versions of Server Message Block (SMB) at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.” This measure prevents the WannaCry attack and should be implemented on business and home firewalls.
How-to prevent the WannaCry attack
Configure all your perimeter firewalls (or routers) to block all inbound access as follows:
|Source||Source Port||Destination||Destination Port||Action|
|Any||Any||Any||TCP 445||Drop or Deny|
A few points to consider:
- Configure this rule on your perimeter (also known as “boundary”) firewalls. This will prevent any SMB traffic from entering or leaving the corporate network.
- Some firewalls will only offer a “port” field – in this case configure the “port” field as described in the “destination port” field above.
- For zone-based firewalls (like Palo Alto Networks and Fortinet) and firewalls that attach their policy or ACL to a network interface (like Cisco ASA), you should configure “source” to the external or untrusted zone/interface and “destination” to the internal zones/interfaces.
- The best approach is to explicitly block all inbound access to TCP 445 at the top of the rule base to avoid mistakenly opening it up by lower rules.
- We also recommend blocking port 445 on internal firewalls to segment your network – this will prevent internal spreading of the ransomware.
- Note that blocking TCP 445 will prevent file and printer sharing – if this is required for business, you may need to leave the port open on some internal firewalls.
- If file sharing is needed externally (for example, for home users), use a VPN to provide access to it.
- You may also want to block sensitive data with the host-based firewall like iptables
Tufin provides several tools that allow customers to get a bird's-eye view of their firewall policies and prepare reports for management:
Tufin's Policy Browser allows customers to:
- Quickly scan all firewalls for rules allowing TCP 445 explicitly (also through service groups)
Tufin's Policy Analysis allows customers to:
- Quickly examine all rules to determine if your firewalls allow port 445
- This feature also takes into consideration rule shadowing, so it will tell you whether the rule is really passing the traffic or whether it is shadowed from a higher rule
- If you defined network zones (in the Tufin Zone Manager), you can use them to optimize the results (hint: use a negated “internal” zone as source and the “internal” zone as destination).
Tufin's Network Topology Map allows customers to:
- Test whether traffic on port 445 can enter your networks
- If your network is properly setup, use the Interactive Path Analysis capability to examine potential routes from the internet (use 22.214.171.124 as the source) to internal networks
Tufin's Unified Security Policy allows customers to:
- Restrict access between the Internet and internal networks to prohibit TCP 445
- See violations in the SecureTrack Dashboard and the Policy Browser
- Prevent future opening of SMB ports
Steps to define a Unified Security Policy in SecureTrack:
- Log in to SecureTrack and go to Audit/Compliance
- Make sure you have your security zones defined in Zone Manager (Network/Zones) – in this example we added all internal subnets to the “lan” zone (internet is calculated automatically)
- Create a new Unified Security Policy and import this CSV file:
from zone,to zone,severity,access type,services,rule properties,flows internet,lan,high,block only,tcp 445,,,
- Under Audit/Compliance, click “preferences” for the newly created Unified Security Policy, select the relevant firewalls and assign interfaces to zones
- Go to the Network Topology Map and click “synchronize” – this will force the Unified Security Policy to recalculate.
- Now go to the dashboard and see the violations (you can also search for them in the Policy Browser).
- See more details here: https://forum.tufin.com/support/kc/latest/configure_security_policy.htm
Additionally, customers can use Tufin's REST APIs to automate the tasks above.
Wishing you perfect security.
- Article by Reuven Harrison