The majority of firewall managers are concerned their change management practices put their companies at risk, according to a recent survey. How does this happen? Firewalls are generally considered the first line of defense for most networks. A firewall is the first decision point that uses a set of rules to determine whether or not outside traffic can enter the network. As time goes on, the rule set, or policies, of a given firewall can grow quite large and complex, making it difficult for the firewall manager to keep track of them all.
What’s more, rules may need to be added or changed frequently to meet specific business needs, adding to the complexity of managing these policies.
This management problem grows as we move into the era of the next generation firewall (NGFW). NGFWs make it possible to associate usage of applications to specific users by examining network traffic to identify the applications and the people who are using them. The result is deeper granularity of control over the entire IT environment – and a much bigger policy management challenge for the firewall administrator.
Firewall management/audit vendor Tufin Technologies recently published the results of its annual firewall management online survey. Any CISO who reads the report should consider an immediate review of the processes and audit schedule.
Tufin surveyed 100 global managers who are directly involved in firewall management and auditing. Two-thirds of those managers lack confidence in their firewall security posture. A quarter of the respondents say their current change management processes put their organization at risk of a security breach, and 41% said their processes may be putting them at risk. Only 34% are confident enough in what they do and the processes they follow to say they don’t think their organization is at risk.
A .340 response would be great if we were talking about baseball batters – but we’re not. We’re talking about an organization’s first line of defense from the malware, viruses, denial-of-service attacks and pinpoint intrusions designed to steal valuable digital assets. If the firewall is on shaky grounds, that means that all other layers of defense have to work extra hard.
According to the survey, two basic conditions underlie the challenges of firewall management. First, nearly two-thirds of the managers don’t use an automated tool to manage configuration changes. Second – and this is strongly related to the first condition – nearly 60% say they don’t have enough time to properly perform their configuration and maintenance tasks.
As a result:
- 28% of the firewall managers don’t know when a configuration change causes network downtime or poses a security breach until they receive phone calls or emails about the issue.
- A third of the managers spend their time manually troubleshooting the firewall configuration and ruling out all other possibilities when there’s downtime or a potential for a breach.
- 59% of the managers manually dig through log information to determine how to tighten overly permissive firewall rules.
- 41% don’t know when a firewall rule needs to be recertified or decommissioned.
- 17% say they can’t locate firewall rules that overlap or are redundant; another 47% say they manually inspect the policies to sort through these issues.
- 23% have never done a firewall audit.
- 56% have no formal process for managing configuration changes, and when things get hectic, change requests are not attended to.
These statistics are quite disconcerting when you consider the serious ramifications of a breakdown in configuration management processes. The Verizon Data Breach Investigation Report cites “misconfigurations” and “omissions” (e.g., failure to apply a patch or adhere to a policy) as important factors in serious data breaches.
But the good news is that these problems can be rectified with people, processes and technology. Any CISO that sees a hint of his/her organization in the statistics above needs to do three things:
- Review the current process for maintaining the firewall configuration. Iron out the trouble spots before they cause serious problems.
- Ensure that the people charged with firewall management have the skills and resources they need to do their work effectively.
- Consider investing in a firewall management tool to bring automation to the cumbersome manual processes of maintaining rules, checking for conflicts, identifying vulnerabilities, and supporting audits and compliance requirements. These products automate the process of managing policies, which includes checking the rule set for conflicts, looking for misconfigurations of common settings, matching settings against the firewall vendor’s set of best practices, etc. In addition to Tufin, vendors in this market include AlgoSec, Athena Security , FireMon, RedSeal Systems, Secure Passage and Skybox Security. For more information,check out Network World’s product review, and CSO Magazine’s feature.
Firewalls are just one layer of security every organization needs, but they are an important layer and should be given the respect they deserve.