CSA CCM UEM-10
Software Firewall | Plerion

Software firewalls are an essential part of a comprehensive endpoint security strategy. They inspect network traffic, apply rules, and perform behavioral monitoring to protect endpoints from malware and attacks originating from both inside and outside the corporate network. Properly configured software firewalls, such as web application firewalls (WAF), can defend against common threats like SQL injection attacks targeting web services.

Where did this come from?

CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix here. This control, UEM-10, is part of the Universal Endpoint Management domain and focuses on the importance of properly configured software firewalls on managed endpoints. For more information on AWS WAF, check out the official documentation.

Who should care?

  • System administrators responsible for endpoint security configuration
  • Security engineers designing endpoint protection strategies
  • DevOps teams deploying web applications and services

What is the risk?

Without properly configured software firewalls, endpoints are vulnerable to:

  • Malware infections from both internal and external sources
  • Unauthorized access to sensitive data and systems
  • Attacks targeting web services, such as SQL injection and cross-site scripting (XSS)

Software firewalls can significantly reduce the likelihood and impact of these risks by filtering malicious traffic and enforcing security policies.

What's the care factor?

Endpoint security should be a top priority for any organization. Compromised endpoints can lead to data breaches, system downtime, and reputational damage. Properly configured software firewalls are a critical line of defense against these threats. While implementing and maintaining firewall rules can be time-consuming, the potential costs of a security incident far outweigh the effort required to secure endpoints.

When is it relevant?

Software firewalls are relevant in most situations where endpoints are connected to a network, especially:

  • Laptops and desktops used by remote or mobile employees
  • Servers hosting web applications and services
  • Endpoints with access to sensitive data or critical systems

However, software firewalls may not be necessary for:

  • Air-gapped systems with no network connectivity
  • Highly specialized devices with limited functionality and attack surface

What are the trade-offs?

Implementing software firewalls can come with some costs:

  • Time and effort to configure and maintain firewall rules
  • Potential performance impact on endpoints, especially with complex rulesets
  • Occasionally blocking legitimate traffic, requiring troubleshooting and rule adjustments
  • Additional software licenses or subscription costs for enterprise-grade firewalls

How to make it happen?

  1. Identify all managed endpoints that require software firewalls
  2. Select an appropriate firewall solution (e.g., native OS firewall, third-party product, or cloud-based WAF)
  3. Define firewall rules based on the principle of least privilege, allowing only necessary traffic
  4. Configure the firewall to log all blocked traffic for auditing and incident response
  5. Deploy the firewall configuration to all managed endpoints using a centralized management system
  6. Regularly review and update firewall rules to account for changes in applications and threats

What are some gotchas?

  • Ensure endpoints have sufficient resources (CPU, RAM) to run the firewall without impacting performance
  • Be aware of any software conflicts or compatibility issues with the chosen firewall solution
  • Properly test firewall rules before deploying to production to avoid blocking critical traffic
  • For cloud-based WAFs like AWS WAF, ensure the IAM user or role has the necessary permissions (e.g., wafv2:CreateWebACL, wafv2:UpdateWebACL) to manage the WAF configuration. See the AWS WAF API permissions reference for more details.

What are the alternatives?

  • Network-based firewalls can provide centralized protection but may not cover remote or mobile endpoints
  • Intrusion Prevention Systems (IPS) can complement firewalls by detecting and blocking more advanced threats
  • Application whitelisting can limit the attack surface by only allowing approved software to run

Explore further

?

Blog

Learn cloud security with our research blog