Firewalls have become a surprisingly disregarded part of enterprise security. Every enterprise has anything from dozens to hundreds of them and yet they are often only noticed when something is going wrong. Arguably, their success has also moved the problem to other parts of the stack such as users and applications which explains why firewall products have expanded their reach to encompass so many new features.
As firewalls have become more and more complex, management has turned from inconvenience to risk. This is the crux of the challenge they create. They need constant adjustment, tending and management. A firewall is never right or if it is, that doesn’t apply for very long.
As Jody Brazil, co-founder and former CEO of firewall management firm FireMon describes the issue: “We started with the observation that you can buy awesome technology but it will fail to protect the enterprise of it’s not configured correctly.”
Are firewalls still important? Too many firewalls, not enough time
The growing complexity of security infrastructure has been an issue for as long as anyone can remember but it is only recently that people have started to understand that this isn’t simply inconvenient and time consuming but has a direct effect on security. These days, organisations deploy several layers of security but firewalls are always at the heart of any network and it is here that the complexity issue began to get out of hand.
It starts with the sheer number of firewalls some enterprises now have to manage. Organisations with anything up to 100 can count themselves lucky but according to FireMon the largest firms might these days have thousands or even tens of thousands of firewalls doing traffic inspection, a growth driven by ever greater network segmentation and the rise of virtual appliances in the cloud and the evolution of Software Defined Networking (SDN). A lot of this traffic and growth is termed 'east-west', that is between servers in the datacentre.
It seems easy to add more virtual appliances to keep traffic from different address ranges discrete but that comes at the price of management complexity.
Solution: There is no easy in on this one – the number of firewalls, especially virtual appliances is set to spiral and organisations should adapt to this reality. In this context, security management is not a way of enabling security, it is security. Obsolete rules and weak out-of-date policies must be identified and ruthlessly culled.
Firewalls have become hard to understand
The word firewall is the same as it’s always been and yet today’s appliances have quietly morphed into very different systems. On the back of the next-generation firewall and Unified Threat Management (UTM) movement, new security features were added such as (IPS), application and user awareness, VPN connectivity and even anti-malware capabilities. These integrated devices were themselves an attempt to tame complexity. The confusion, of course, is that these same security layers – and new ones that keep being invented – seem to have become as or even more important than the core firewalling function.
Solution: the firewall is now a composite device or service amalgamating a range of security layers. It’s as if organisations invented security starting with firewalls. Worrying about this is futile.
Firewall management is an oxymoron
The treacherous zone of firewall management could consume whole seminars. The central structure of firewall security is the policy, a design challenge from which specific sets of rules emerge. The mechanics of this can quickly go wrong as organisations struggle with change management as devices, uses and applications are granted access which must be revoked at a later date. Cleaning up rule bases can be carried out through the firewall management systems that come with hardware platforms or through third-party management tools.
“New access is added but old, expired access, is rarely removed. Consistent repeatable processes are lacking. Complexity grows, efficiency suffers, and probability for error and risk is greater,” comments FireMon VP of customer technology, Tim Woods.
“The biggest problem is administrators don’t have visibility into their policies to see where redundant, hidden, shadowed, overly permissive, and outdated rules are, especially if they are running different types of firewalls in their environment.”
Solution: third-party firewall management firms – FireMon, Algosec, Tufiin – will obviously promote the benefits of specialized firewall management. The key is automation of change management. It is too expensive to pay people to do thing and security must now develop let machines make some of these decisions.
Will it work come the day?
No matter how good the policies and rules sets, the best test of a firewall is always the ability to cope with day-to-day security that tells organisations how well things are going. A simple example is the way exposed firewalls can be left exposed by DDoS attacks on e-commerce infrastructure. Often, firewalls struggle with DDoS attacks and more advanced mitigation is required. But even if the firewall is being used as a first response mechanism it can be tricky to deploy without causing major headaches later on – will the organisation have a good enough snapshot of the firewall at a given moment in time to go back to it if a rapid re-configuration has to be made under duress? Too often organisations see snapshots as an insurance when applying software patches.
Solution: have an offline backup image for reinstating firewalls that doesn’t require admins to go back to scratch or fear making changes in security emergencies.
Logs are imperfect
Being able to make sense of log data is fundamental but often limited by other factors. Firewalls log access and what has traversed the network but does not necessarily reveal the source or put that data into a useful context. It will offer clues – s traffic moving in the right direction from a given server - but not the whole picture. A major security issue is simply checking who has access to the firewall itself because unsuccessful logins are the first symptom of things going awry.
Solution: look at the access logs as often as possible. Alternatively get a specialised firewall forensic tool to do the job.
Are firewalls still important? Compliance is a pain
Firewall management is part of the compliance chain, for example for regimes such as PCI-DSS, HIPAA and SOX. This has become such a large-scale issue for enterprises that even element of the security infrastructure must now be able to generate automated and real-time policy compliance data at any moment in time and not simply because an audit is coming up. Firewalls need to be a ‘clean’ as possible, to relate firewall state to best practise, and to generate compliance reports that are easily understandable.
Solution: Compliance is conceptually simple: how far form a desired state is the firewall at the moment it is assessed? If a compliance system is doing its job the failures against that should be easy to see with clear remediation.