Going Global: Three Key Strategies for Managing International Firewalls

Friday, September 23, 2016

Avishai Wool

259aa33b32fc31717e8a18f2dc9edc19

Globalization is the new normal for most organizations today, but it can present some significant challenges - not least when it comes to managing the firewall estate across these large-scale, distributed networks.

A typical, multinational corporation, headquartered in the US may have offices and datacenters in dozens of countries around the globe. Let’s assume the organization takes a proactive, structured and logical approach to cybersecurity, and therefore protects each datacenter with firewalls. Yet all of these firewalls also have to work together cohesively, allowing network traffic to move securely between the international networks and datacenters. How do you manage this? There are three vital issues to consider.

Issue one: a matter of time

A core element of firewall management – in any context – is configuration and in particular the change control process – that is, updating firewall rules when application network connectivity is updated or changed.

However, in global networks, with applications in different countries that need to communicate and share information, this gets a little more complicated.  Imagine one common scenario: an organization has deployed a new application across its global network, so needs to implement firewall policy changes in multiple countries.  While the policy change in itself is easy enough to make, the question becomes – when exactly should it be made?

For many large organizations, policy changes are limited to specific change control windows in order to mitigate the risk of operational downtime for core applications or configuration mistakes.  Firewall policy changes therefore usually take place overnight, or at the weekend – out of high risk hours.  But in a global organization, operating across multiple time zones, those high risk hours vary from country to country.  What’s more, high traffic periods in the calendar vary too – the run-up to the Christmas holidays will be critical to a retailer in Western Europe and the US, while Chinese New Year will impact on retailers in Asia.

So businesses have a choice. They can set a single universal change control window according to when its convenient for the most important location in its network, and hope that the other locations will manage.  This is quicker but riskier.  Alternatively, they can set different change control windows in different countries, and somehow coordinate a staggered firewall change process.  This is unlikely to cause security problems part-way through the process, as legitimate traffic will most likely continue to be blocked somewhere along its path until the change has been fully implemented – but clearly this could be a significant operational issue, blocking different sites from communicating with each other.  This change management process requires careful coordination between an organization’s network operations and application delivery teams.

Ultimately, there is no simple answer to this challenge. A business needs to weigh up the risks and benefits of the two approaches, and choose the most appropriate path for the organization.

Issue two: staying within the law

Another aspect of running multiple datacenters in multiple countries is the question of multiple jurisdictions. Different nations have different laws governing the location and movement of information; Switzerland, for example, requires Swiss banking information to remain inside Switzerland, while the Australian government does not allow government or federal information to leave the country.

These laws have significant technical implications for how international enterprises organize their datacenters, whether on premise or in the cloud. Information must be segmented, siloed and protected with firewalls according to local jurisdictions, and the IT team will normally be required to manage this. Technically all the necessary segmentation can be achieved remotely or even outsourced to a service provider, but it still carries a significant organizational burden – especially for organizations migrating to cloud infrastructures, as they may be nervous about the legislative compliance implications.

We may see this in action if the Bangladesh Bank decides to press charges following the recent $81m heist via the SWIFT wire transfer network. Which police force will they go to?  Can INTERPOL help?  Even if they manage to identify the criminals, who is going to arrest them, or request extradition? 

There are, as yet, no easy answers to these issues. Ultimately organizations need to take responsibility for understanding all of the data protection laws and regulations that apply in every country where you store and transmit data – and they need to translate compliance with those regulations into proper technical, legal and compliance related actions for its IT security strategy and business.

Issue three: who else is connected?

The picture gets more complex still when businesses grant external organizations access to their networks.  At this point, it is important to note that they become part of the organizations’ information security and regulatory compliance posture.  Minimizing the risk of such external connectivity depends on implementing careful network segmentationas well as using additional controls such as web application firewalls, data leak prevention and intrusion detection.

Furthermore at some point in time businesses will have to make changes to their external connections, either due to planned maintenance work by its IT team or the peer’s IT team, or as a result of unplanned outages. Dealing with changes that affect external connections is more complicated than internal maintenance, as it will probably require coordinating with people outside the organization and tweaking existing workflows, while adhering to any contractual or SLA obligations. As part of this process, organizations need to ensure that their information systems allow its IT team to recognize external connections and provide access to the relevant technical information in the contract, while supporting the amended workflows.

Finally organizations should also ensure that they have a contract in place with third party organizations to cover all technical, business and legal aspects of the external connection.

When managing global network infrastructures, it is more important than ever to have full, real-time visibility and control of exactly how firewalls are controlling network traffic across the globe, both to maximize security and compliance, and minimize downtime. 

Possibly Related Articles:
10837
Firewalls Network->General Enterprise Security
Firewalls network traffic datacenter real-time visibility
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.