Three Keys to Managing Firewalls for Better Security

Tuesday, September 25, 2012

Richard Stiennon

924ce315203c17e05d9e04b59648a942

My friend Alan Shimel has been attempting to put together a podcast debate between me and Roger Grimes who penned a controversial piece at InfoWorld titled “Why You Don’t Need a Firewall.

I was looking forward to this debate because I wanted to slip in the line “ain’t nuth’n dead until I say it is dead”, but that is going to have to wait until another time. Meanwhile Alan went ahead and posted.

This concept that firewalls do not provide value had its first incarnation in de-perimeterization as promulgated by the Jericho Forum. The general idea is that because network security is so hard we should give up and focus on securing all the endpoints and the data that travels between them.

But in reality we have to defend four separate domains – network, endpoint, data, and applications. I am a great believer in de-coupling the management and defense of these four domains. I even coined my three laws of simple security to reflect this.

1. A secure network assumes the hosts are hostile

2. A secure host assumes the network is hostile

3. A secure application assumes the user is hostile

Networks need firewalls the way cars need brakes. Sure there are still auto accidents and we can postulate a future of autonomously piloted vehicles but for now brakes are required on all vehicles.

To address the perceived issues with firewalls there are three suggestions I would make. Firewalls are policy driven. The administrator defines exact rules for what is and what is not allowed to pass. Like all control systems the danger comes from mis-configuration, so the greatest enhancement to firewall security comes from reducing the risk of mis-configuration.

Standardize

In the early days of firewalls it was common practice to put multiple firewalls from separate vendors inline to ensure that a vulnerability or mis-configuration in one would be caught and blocked by another. The trouble with this idea is that for every new management interface you introduce you double the complexity of and cost of training, managing, auditing, and controlling.

Best practice is to standardize on a single firewall platform for your entire infrastructure. This means that you have to choose a vendor with a range of products that meet your needs from your data center down to your remote offices.

Consolidate

Just as firewall management introduces complexity so does having numerous inline security devices to perform other functions like malware detection, intrusion prevention (IPS), content URL inspection, access control, and application control. Consolidation is the biggest driver in the network security space today as demonstrated by the rapid growth of multi-function firewalls variously called UTM or NGFW.

Vendors like Fortinet, Check Point, Palo Alto Networks, Sonicwall (Dell), and Watchguard, have all profited tremendously from this trend and it explains why Cisco and Juniper, who are blind to the trend,  have fallen off the cliff in network security.

Manage

Firewall infrastructures have matured over the last fifteen years. In the United States alone there are over 3,000 enterprises with over 200 firewalls they have to manage or outsource. As networks, applications, users, and devices proliferate the firewall rule sets have grown in proportion. In the late ’90s when I still did firewall audits I would pour through firewall configurations that included only a couple of hundred rules.

Today I talk to administrators that have over 20,000 rules in a single firewall! The need to manage firewall policies has given rise to an industry of separate management tools. They can audit a firewall, report on unused policies, even simulate the effect of a change to the policies. They integrate with change control solutions like BMC Remedy and generate diagnostic reports that exceed the native capability of the firewall product.

At RSA Conference 2012 I had a chance to interview Rueven Harrison, CTO and co-founder of Tufin, the largest Firewall Policy Management vendor by market share (video interview here).

Listen to Reuven to get up to speed on the state of the art in policy management.

Firewalls are an indispensable component of network security. Any report of their demise is premature. They are alive and well and growing dramatically in capability. Only through standardization, consolidation, and management will the enterprise be able to reduce complexity and cost while increasing security.

Possibly Related Articles:
10599
Firewalls
Information Security
Firewalls Application Security Defense Data Loss Prevention Network Security Perimeter Security Endpoint Security
Post Rating I Like this!
565b861029c11c98f54b1699d474f589
Kathleen Jungck "Consolidation is the biggest driver in the network security space today..." Aren't we creating more single points of failure with over-consolidation? I'm hearing increasing reports from net admins who are being directed to take down NG firewalls when they are becoming bogged down by attacks just when those multiple devices would have been of the most use.
1348677348
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.