When was the last time you checked the most important part of your Internet Defense? All that stands between you and the Evils of the Internet is a single device called the Internet Firewall (or sometimes called the Router). The firewall is a gatekeeper and controls what can get ‘out’ to the Internet from your Office network, and more importantly what can get ‘in’ to your network from the evil public side. Have no freaking idea what it’s currently configured to allow in (and should you really)? Then this article is for you, keep reading.
Why worry about this? You have valuable information inside your Practice. All your business data including Protected Health Information (PHI in HIPAA terms) resides on your Server and computers. You don’t want strangers getting access to this data.
Your firewall was probably configured by your IT person – how many years ago? When I look back on how I configured firewalls five years ago (appropriate for the times) they aren’t optimal for today’s threats. Security threats from the Internet are constantly evolving, and someone should be thinking about your defenses regularly.
If you are already a ‘believer’ and want to skip the nerd details and just want to cut to the chase on how to get it done scroll down to the ‘What to do about it’ section below.
Here are some of the things I consider when presented with this challenge:
It is critical to have a Hard Password protecting access to the management of this device. If a hacker can get into the Firewall, they can adjust it to allow anything to happen. The worst possible thing would be for the device to have the default password it came with (guaranteed the first password a hacker tries). You should keep this password documented in a safe place (not on a post-it note stuck to the firewall).
Disable Remote Management
Most firewalls have a ‘convenience’ option to allow the device to be managed from public Internet side. Your IT person might have enabled this so they can adjust settings from the comfort of their office. This is a bad idea to have enabled – the BAD people are on the public side. The solution is simple, check to ensure this is not enabled. There is one acceptable exception to this rule – if the firewall can restrict the public side management to a single specific IP address, then it would be OK for remote management to be enabled if only coming from the office of your IT person.
Update the Firmware
All firewalls have a set of instructions that define how they operation and make their Brain function. Manufacturers typically continue to improve these functions and release them as free firmware updates that can be applied to a device to bring it up to date. Often these updates include patches for vulnerabilities that were discovered, or new enhanced security features. I think it’s a good idea to keep your Firewalls latest available firmware.
From the early days of firewalls, there was a feature called DMZ (Demilitarized Zone). You would configure the DMZ feature to point to one of your internal computers and it would allow ANYTHING from the Internet to directly talk to that computer. People that didn’t understand how to configure a firewall properly to allow something specific in sometime used this as a broad stroke fix (just let it all in). This is a HUGE security risk, removing all the protection completely. A computer can’t survive long fully exposed on the Internet. The fix is simple, check that the DMZ feature is disabled.
The much more common technique of letting something into your network is completed by using selective port forwarding. For example, if you use Dolphin Mobile (an app on your phone that allows you to access your Practice information while out of the office) this needs to make a connection from your phone back to your database. This specific app uses one of 16,384 possible ports (think of them as possible doorways into your network through your firewall). The firewall would be configured to allow port 8085 to communicate directly to a single PC or server inside your network that was running the Dolphin Mobile Service. Only something from the Internet programmed to communicate over that one port could come in through the firewall and attempt to communicate with that single computer. This is a limited exposure.
Do you have remote access to your office using Microsoft Remote Desktop (RDP)? This was very common over the past decade since it was free and included with all versions of Windows. Setting up RDP access to a PC was as simple as making a port forward on port 3389 and telling the firewall to allow it to connect to your PC. This was awesome back then, but now its become and awesome liability. The problem is that EVERY hacker knows about this technique and they are actively scanning the Internet for ANYONE still using it. Once they find a firewall with the port open, they then start attacking the PC attempting to guess the username and password to login. Humans don’t do the attack, computers are doing the attack programmatically, and it takes then very little time to try thousands of passwords. Your IT person might have tried a simple trick to change to a non-standard RDP port, like 3390. That doesn’t fool the hackers anymore. They scan all possible 16,384 ports automatically to see if any of the doors are open (you can scan your own network using a cool web tool from Gibson Research called ShieldsUp). Having ANY RDP port open to the public Internet is too great a risk today, and you should look to close these ports ASAP. Consider using a tool like LogMeIn for remote access (no ports need to be opened). Alternately you could configure a Mobile VPN solution.
All too often I find stuff that was setup years ago and forgotten, but still presents a significant security risk.
Your IT person should critically evaluate any open port forwarding and see if it’s really needed any longer, or if an alternate safer solution can be found.
Many firewalls have a feature that can be configured to allow a remote user to make a Virtual Private Network (VPN) connection to your network. This is a secure, encrypted connection and is ideal for safely remotely accessing your network. BUT, it’s possible that someone setup a VPN connection for a purpose that is no longer needed. For example, maybe a Mobile VPN was created to allow remote access for that staff member you fired 5 months ago (and this should definitely be deleted).
VPNs used properly are a great thing. The defense is simple, just periodically check the list of VPNs configured and make sure they are still legitimate.
What to do about it?
At least once per year you should ask your IT person to critically review the firewalls configurations – and adjust as appropriate. This isn’t a big deal and should take about 15 minutes for someone with the appropriate skills (they need to understand the nuances of the challenge and have the skills to know how to adjust your defenses).
Make this part of your IT Policy
I have been on a crusade of sorts to help get Practices organized to take reasonable security precautions to protect their data and help with HIPAA compliance, and this topic is one of them. In a previous post I have outlined the need for maintaining a simple IT Policy document using the example of Maple Leaf Orthodontics. I have prepared a new section called ‘Firewall Review’ that you can take and incorporate into your policy. You can download it here.
I have prepared an Annual Firewall Review Checklist as well. This is a simple form to streamline the process of the annual audit so your IT Person should be able to complete it in a matter of minutes. You can download it here. With a little more effort you can turn the checklist into an Adobe PDF form to make it super easy to fill out and save each year – checkout this example.
Please subscribe to the blog to get a notice of when the next article is posted. Sign up to get updates by email as soon as we add them.
If you’d like a little help with your Firewall Configuration or IT Policy and it’s implementation please consider MME, it’s what we do. We can customize the complete document for the steps applicable to your Practice, and take care of the IT steps to implement them (we are nerds after all). Just give us a call at 866-419-1102 or check us out online at www.mmeconsulting.com.