Poorly Managed Firewall Rule Sets Will Flag An AuditAuditors and compliance managers alike are depending on firewall management principles and tools to cut through the complexity
As the complexity of the IT topography continues to increase along with the number of firewalls deployed, the typical enterprise firewall rule set stands as a confusing rat's nest of contradictions and insecure configurations.
Not only does the state of these rules expose enterprises to undue risk, it inevitably throws it out of compliance. Auditors are getting wise to the problems posed by unmanaged firewall rules. Here's why you should, too.
Firewalls aren't going anywhere.
The predicted demise of the firewall from security pundits several years ago may have been a bit, shall we say, premature. Today, not only does the firewall still stand as one of the most ubiquitous security tools deployed within the enterprise, but most organizations are doubling down on their firewall strategies with the advent of the next-generation firewall.
"Firewalls aren't going away. If anyone says they are, then how can they explain Palo Alto going [public] and firewall vendors continuing to make tons of money hand-over-fist?" says Sam Erdheim, director of marketing at AlgoSec. "If anything, we're seeing the evolution of firewalls, next-gen, and Web application firewalls, and that sort of thing. But the concept of the firewall is still there and that's not changing anytime soon."
But the growing irony is that even though the lowly firewall's renovation of its rep within the security world has largely been driven by compliance mandates such as PCI, the growth in volume of firewalls within the enterprise often stands to put organizations at even more risk of failing a security audit.
"The core of network complexity begins with a firewall. If you speak to a compliance manager that's not technical, or you speak to management who has been told that they are in compliance and therefore secure, everything's good," says Kevin Beaver, founder and principal information security consultant for Principle Logic. "Everything's hunky-dory, we're secure, and [there's] nothing to worry about -- all's well in IT. Then you go in and test any given environment. You can even look at the firewall rule base and point out all sorts of flaws: system configuration, weak passwords, network segments that shouldn't be talking to one another, and ports that are open. I often see database servers that are sitting out on the public Internet wide open for attack."
State of the rule set: shambles.
So how has the current rule set broken down? It's kind of like the old quote from Hemingway: It happened two ways, gradually, then suddenly. First, the slow devolution. As security consultant and auditor Mark Jones puts it, because so many firewalls have been in place for so long, network administrators have built up an accumulation of hastily devised rules to satisfy business needs on-the-fly.
"On an average week, inside an enterprise-type business out there, a Fortune 500 [is] making anywhere from 10 to 15 changes a week to their firewall," says Jones, CEO of SOS Security, explaining that many of these are made when a line-of-business leader needs an exception to be made to address an immediate critical business need. "It's such a hasty decision, and it's rarely followed back up on to make the change back to where the firewall was before."
The culmination of many years of these hasty decisions has snowballed, says Michael Hamelin, chief security architect and evangelist for Tufin Technologies.
"Around 15 or 16 years ago when I started, we talked about the top 10 rules you should see in your firewall. I remember an article with that title," Hamelin says. "Today, most firewalls have hundreds, if not thousands, of rules, and it's not unusual to have firewalls with tens of thousands. Even a couple of customers I know have are over 100,000."
And the advent of the next-generation firewall is likely to just make the complexity even worse, Erdheim says.
"It's not like they're ripping out all their traditional firewalls and replacing them with next-gen firewalls. What they're probably doing is strategically putting in next-gen firewalls in certain segments of the network where they need that granular control," he says. "So then you've got different types of firewalls in your environment from different vendors. So how do you pull all those things together? If you don't have some way to standardize or normalize the management of these different firewalls, then you basically have to have a separate resource just to manage the next-gen firewalls -- in addition to all the time to manage the rest of the firewalls."
Human mind can't handle the scale.
As the number of rules within the typical enterprise firewall environment increases exponentially, it's becoming increasingly apparent that manual management of firewall configurations aren't going to fly anymore. The human brain simply can't handle the scale, Hamelin says.
"The sheer number of rules becomes a complexity that is well more than you can deal with as a human," he says. "We like to say our human brains are pretty good, but I think 65,000 lines printed on paper -- just at the average reading rate if you read it from beginning to end -- is about 40 hours of reading of over 1,000 pages. You can't audit and understand the compliance of that from end to end."
As a result of this problem, consulting and auditing firms such as Principle Logic and SOS Security have taken to using automated firewall management tools to uncover firewall rule problems that would have otherwise gone undetected by manual methods.
"Just recently, I was working on an assessment where we ended up using the AlgoSec firewall analyzer product, and we uncovered some issues that the external assessment didn't find," Beaver says. "Neither did the internal assessment, but these were big issues. These were not like default settings, but really basic, stupid configuration issues -- things that could have been exploited by a malicious insider, an outsider, whatever."
Jones, for his part, uses Tufin's tool to such great effect that every assessment his firm has done has found critical issues that needed to be addressed. "They find out that their rule base is in such shambles that they often say, 'Hey, not only do we need to do this annually, we probably need to do it every quarter," Jones says.
According to Jones, not only are there compliance benefits to such a practice, but the residual operational benefits are nothing to sniff at, either.
"The throughput on their firewalls run so much cleaner and so much faster to where firewall administrators who once said, 'We need to upgrade the firewall,' realizes that it's not that they needed new firewalls, it's just that they had too many damned rules," Jones says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.