Application Security // Database Security
2/27/2013
08:58 AM
50%
50%

Segmentation Can Increase Risks If Firewalls Aren't Managed Well

The multiplication of internal firewalls to comply with regulations and minimize risk to critical databases and applications has created a rat's nest of firewall configuration issues

SAN FRANCISCO -- RSA CONFERENCE 2013 -- As enterprises increasingly turn to network segmentation to limit exposure to sensitive applications and databases, the IT law of unintended consequences is rearing its ugly head. According to IT administrators, the very tools that allow them to create safe network zones -- namely, the firewalls -- are actually introducing a new crop of security and operation problems to the overall IT risk equation.

All of that slicing and dicing of the network has piled on more internal network firewalls than ever; with the constant flux in application and network configuration, it's not unheard of for enterprises to manage a snarled mass of hundreds of thousands to even millions of firewall rules settings on a daily basis. It's a task so overwhelming for a single firewall manager or even a team, who simply can't keep up.

RSA Conference 2013
Click here for more articles.

"No human can look at that and know what the firewall is doing. Nobody can get a good feel for what traffic it's actually controlling," says Jody Brazil, president and CTO of Firemon, a firewall management firm. "All of a sudden, you started with a technology to limit risk, but you no longer know what risk that it's controlling."

Consequently, the act of segmentation that some enterprises have turned to for hardened security is actually introducing misconfiguration risks -- and even raising the potential for breaking revenue-generating applications critical to the business.

"The challenges faced by the firewall management team are so difficult, they simply don't have time to do everything they're supposed to do, and the only way they meet deadlines is to start cutting corners," says Ruvi Kitov, CEO of firewall management vendor Tufin Technologies. "They've got such tight deadlines that sometimes they make mistakes. And on a firewall, a mistake can be tragic."

Yesterday at RSA, Tufin released the results of a survey that showed how those shortcuts in manual firewall management processes are taking their toll on IT operations. In a poll of 200 administrators, approximately 62 percent reported that their firewall-rule change management processes put them at risk to be breached. According to firewall management experts, today's highly segmented networks, the addition of next-generation firewalls, and the necessary coupling of firewalls with specific application-centric network zones have pushed these tools well beyond their initial perimeter defense objectives.

"Back in the good, old days when there was just one firewall and the perimeter, if you needed to make a change or to enable something, you went to that firewall and put it in a rule or edited a rule, and that was it," says Nimmy Reichenberg, vice president of marketing and business development for AlgoSec, a firewall management automation firm. "Now if you want to enable some sort of connectivity from A to B on the network, just understanding what firewalls are in the path that you want to enable can be pretty complex."

As a result, many firewalls are often misconfigured with rules broader than necessary, says Brazil, who believes that part of the problem is at the feet of firewall vendors that have not offered administrators tools to create effective policies.

"They have provided fantastic tools to create rules. It's really simple to create a rule in one place and distribute [that rule\ across a huge firewall infrastructure," Brazil says. "But making sure that it is a correct rule, they've done a very poor job of."

This deficiency has particularly wreaked havoc in the highly dynamic applications world. According to Tufin's survey, a third of organizations make 100 or more application-related firewall changes a month. Approximately 55 percent of all organizations say that their application connectivity management processes might create unnecessary IT risk. And 47 percent say that application-related rule changes did or may have resulted in a breach. This tracks with a statement from Gartner last fall that through 2018, more than 95 percent of firewall breaches will be caused by firewall misconfigurations.

But not only are these firewall management woes greatly increasing the chances of data breaches and exposures, they're also gumming up the operational works in the application delivery life cycle.

"Ramping up a new business application takes a lot of time. That's on the business agility or operations side. The flip side is when that application is decommissioned, the access it needs is not going to go away," says Reichenberg, adding that before one of his financial customers started using firewall management automation, it had to make its applications teams wait a full 30 days before any new applications went live in order to check on firewall rules and interdependencies. "Because of this complexity, everybody is afraid to remove the firewall rules because god knows what you're going to break. If I move the extra application A, application B might stop working as well. I have no idea how this interrelates and interconnects."

According to the Tufin survey, about 42 percent of respondents track application connectivity changes through the comments section of the firewall rule base, and approximately one in six organizations don't even track these changes at all. This is causing downtime and disruption in many critical applications throughout the enterprise. Approximately 70 percent of survey respondents experience application service disruptions up to 20 times per year due to firewall configuration changes.

"For example, we've seen cases where somebody made a configuration mistake, a bank's ATM system went down, and several thousand ATMs were down for a day until they found the configuration error," Kitov says. "You can imagine how painful that was for the IT department and how much revenue they lost as a result."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ODA155
50%
50%
ODA155,
User Rank: Ninja
2/28/2013 | 7:49:32 PM
re: Segmentation Can Increase Risks If Firewalls Aren't Managed Well
I have a few suggestions for management and individuals responsible firewall administration.

1st.- Write useful and meaningful policies that have clear and effective goals regarding firewall placement, management and maintenance, make sure your admins and other managers acknowledge they understand those policies, then enforce them.

2nd.- Use configuration standards that make sense and don't get cute... make sure that your people understand what they're doing... then enforce... review them.-

3rd. Stop letting those vendors sell you on the "what's hot out there" and what everybody else is using.

4th.- When changes are made or new rules are added make sure they are appropriate and that they do provide the required amount of security... Just don't add the new rule or adjust an old rule, build the rule from scratch, once you know it does what it is intended kill and remove the old rule... you have backups.

5th. PERIODICALLY REVIEW ALL FIREWALL RULES!-

Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.