DEV Community

Cover image for Beyond the Firewall: In-Depth Defense Strategies for Blue Teams, Part 1
Mohab Gabber
Mohab Gabber

Posted on

Beyond the Firewall: In-Depth Defense Strategies for Blue Teams, Part 1

Let’s look at the story of an imaginary company called "DUCKS4EVER." This company provides hosting services for companies and individuals looking to rent a server in the cloud. They started out small, but Mr. Duckie, the CEO, was working so hard on the marketing strategy of the company to secure more contracts and generate more revenue, and his efforts did pay off; he secured a contract with a large company that wanted to host their new social media website on DUCKS4EVER’s servers. This new website, which was called "Ducklings2Meet," grew so fast that they started having more than 10,000 sign-ups per day. All of this was great for Mr. Duckie; the bigger Ducklings2Meet grew, the more servers it needed, which meant more revenue for the company, etc.

Now, aside from this cute success story, let’s look at the details of DUCKS4EVER’s operation, specifically, their security operations.

When DUCKS4EVER started, the whole company was comprised of 10 members. They had different skills; some worked on marketing, some on programming, some on designing the interface, and so on. But the security team was made up of just one person, Mr. Goose.

When Ducklings2Meet started growing, Mr. Goose started noticing a lot of malicious traffic hitting the website’s servers. He also noticed a lot of unsuccessful login attempts to the database servers that host Ducklings2Meet’s user data. All of this worried Mr. Goose, and he started tackling these issues one by one. Let’s look at how he actually stopped all these attempted attacks on the servers:

  1. First things first, he added a firewall to all the servers hosting the website, and he added rules to prevent any incoming traffic to any port except ports 22, 80, 443, and 3306 These ports are required for ssh, http, https, and MySQL, respectively.

  2. The second step was to add an intrusion detection system (IDS). An IDS can be hardware or software, but Mr. Goose chose software for this one. The IDS software Mr. Goose chose was Snort, which is a very famous open-source intrusion detection system that uses a rule-based language to inspect network traffic. Mr. Goose then spent a whole day configuring snort to alert him whenever abnormal activity occurred on the network. It’s important to note that IDS software doesn’t block malicious traffic; instead, it analyzes it and alerts the human operator whenever something malicious happens

  3. Now it was time for the intrusion prevention system (IPS). Just like the IDS, an IPS can be either hardware or software. Mr. Goose chose the hardware option this time; he ordered the device from “” and connected it to the company's network. Now, an IPS’s job is to inspect and analyze the network traffic in order to prevent any malicious activity, meaning it’s more active than an IDS, but this also means that it can affect normal users’ experiences if it’s not configured properly, which is known as false positives. The IPS can actually block normal traffic, thinking it is malicious, so Mr. Goose had to be careful here. He configured the IPS to block any person who tries to login to the server unsuccessfully more than 10 times in a span of 5 minutes, and he also added a rule to block traffic from any device that sends more than 100 requests per minute.

  4. Now it is time for access control. Access control refers to the measures put in place to restrict unnecessary access to resources, data, and devices. For example, an employee working on the user interface of a website won’t need access to the database server, and vice versa. So Mr. Goose made new rules for all of the company’s employees; now an employee can only access what they actually need to do their job. Also, he enforced multi-factor authentication on all accounts within the company; strong password policies were also enforced; and he even added security guards around the server room and card readers on the doors to make sure only authorized people could access the hardware of the servers.

  5. Mr. Goose thought a lot about his next step, and he decided it was network segmentation. He will split the network into different parts for each use so that if one part is compromised, it does not spread to the others. He made virtual local area networks (VLANs) for each important part of the company; for example, he made a VLAN for the internet-facing servers, another isolated one for the backup servers, and another for all the workstations and the employees.

  6. Now that the company’s networks are all secured, Mr. Goose started thinking about other ways a hacker could compromise the company. He had been reading a lot lately about companies being breached because of phishing emails sent to employees. So Mr. Goose decided to enroll all employees in a cyber security course called “Cyber Security Best Practices for Ducklings." This course would help educate employees about cyber security and how to identify phishing links and malware.

  7. It is time for endpoint detection and response (EDR). Mr. Goose downloaded the EDR agent on all the workstations in the company so that he could monitor all the activities of each employee and detect any malicious action. Also, this enables him to isolate a device in case it is compromised so that it does not harm any other device in the network.

  8. Now that DUCKS4EVER is growing rapidly, the company is employing more and more people to take on various jobs, from marketing to programming to designing, etc., and even Mr. Goose got himself some new employees. So he decided to build a security operations center (SOC) to monitor the network and endpoints 24/7 and make sure everything was running smoothly.

After all this, Mr. Goose feels tired and exhausted. He worked nonstop for weeks to make sure no breaches would happen and that the growth of the company would go undisturbed. But is this the case? Will everything go smoothly?

Let’s Find Out In The Next Part 😉

Top comments (0)