Haste makes waste; out-of-process firewall changes cause system outages, AlgoSec survey reports

By | April 16, 2012

Posted in: Network Security Trends

Enterprises have change management processes for a reason. When you “just get it done” without appropriate approvals, notification and testing, bad things tend to happen. Firewall configuration and/or rule changes that don’t follow procedure are liable to open up security holes and/or inadvertently shut off access to critical systems and applications. In  fact, in a recent survey conducted by firewall management vendor AlgoSec, more than half (54.5%) the respondents reported out-of-process firewall changes had resulted in system outages.

Over time, firewalls become very complex, with labyrinthine rule sets, including vestigial rules and possible conflicts, even in fairly small networks. The problem is exacerbated in large, distributed, often heterogeneous networks with hundreds, even thousands of firewalls. In mature organizations, change requests go to a review body, which is supposed to assure the proper approvals are obtained and that configuration and rule changes are vetted to make sure they work as advertised without breaking things.

In point of fact, these procedures are not well developed or assiduously followed at many organizations. Business pressures — granting access to new partners, supporting new applications and business initiatives, etc. — may trump due process and security. And, testing firewall changes is no mean feat. Enterprise firewall management has become complex to the point where it is effectively beyond the skills of mere humans.

Hence the market for firewall management (also sometimes called firewall audit) tools, which replace manual testing with automation, ferreting out existing issues and preventing new ones. Process automation is a key component of these tools, and they typically include workflow capabilities and/or integrate with third-party workflow/change management products, ticketing systems, etc.

(Other vendors include FireMon, Tufin Technologies, Athena Security, Skybox Security).

The survey  — conducted among 182 security and IT operations personnel at this year’s RSA conference — paints a picture of broken and/or inadequate processes, exposing the systemic issues that can result in outages, security problems and other difficulties. Nearly one third cited manual processes as the greatest challenge in managing network security devices. Another 15.6% reported poor change management processes and 10% cited error –prone processes, introducing risk.

The balance of the survey dealt largely with next generation firewalls (NGFW), which introduce very fine-grained application and identity context, along with a fair amount of additional complexity. That complexity appears to add additional management overhead, according to the survey. More than three-quarters of the respondents said NGFW added more work to their management processes, but 84% believe NGFW improves their security, so the extra burden seems to pay off. As NGFW have gained in market share, the firewall management vendors have been adding next generation firewall support, at least for the key players in the market at first, such as Palo Alto and Check Point, to help offset the management complexity.

You May Also Be Interested In: