"[Firewall sprawl] increases complexity, and complexity tends to result in human error," Rothman says. "Human error results in configuration errors, which will let attack traffic through. Yes, some of the firewalls do have light audit capabilities to make sure an admin doesn't do something totally stupid. But, ultimately, with a couple hundred devices to manage, errors are going to happen."
Many companies don't test their new firewall rules and configurations before they deploy them, and most do not have a sense of what risks they face if they make the wrong configuration decision, experts say.
"Most enterprises have some sort of 'change review board,' where the people who set the policies meet the people in operations to discuss the potential impact of a change," Lloyd notes. "But how many of these boards can really assess risk? Do they really understand the potential impact of poor configuration on the business? In most cases, they don't."
With so many configuration errors happening all the time -- and so much potentially sensitive data riding on those errors -- it's not surprising that a cottage industry is forming around the concept of security change and configuration management. Companies like AlgoSec, RedSeal, Tufin, and Skybox all are attempting to crack the enterprise firewall configuration equation, although some are more nuts-and-bolts operations tools while others offer a broader view of the status of these security systems in a single location, sometimes called security posture management (SPOM).
Rothman says the emerging generation of firewall configuration tools has been born because most of the management tools offered by the firewall vendors are short on functionality and often don't work in multivendor environments.
"The reality is the only reason there is a market for 3rd party firewall management tools is because the firewall vendors screwed it up," Rothman says. "There are lots of nice capabilities offered by these tools, especially for the big companies that have to manage hundreds of devices. The tools aren't cheap, but if screwing up the firewall config adds significant risk, or you can deploy people to do other activities, then it may be worth it."
Cisco's Dreyer obviously doesn't agree with Rothman's assessment of firewall vendors' tools, but he does agree there is real value in the third-party software that's emerging in the change and configuration management space. In fact, the company is planning a policy management "ecosystem" of development APIs in the coming year that will help third parties interface with Cisco's network and firewall management systems.
"The work that companies like Tufin, AlgoSec, and Skybox are doing on policy migration can be really helpful in companies that have mergers and acquisitions," Dreyer observes. "A company that does an acquisition and ends up migrating 1,400 firewalls needs some help with the policy life cycle."
Chris King, director of product marketing at next-generation firewall maker Palo Alto Networks, offers another alternative: moving away from current firewall technology and toward application-aware firewalls that might be easier to manage in the long run.
"I have seen enterprises that have 1,500 policies on a Check Point firewall," King says. "The way traditional firewalls are set up, you're always looking at what you need to deny. If you move to an application-based firewall, you might allow 100 apps, but you'd still have only 100 rules."
"Given that everything is encapsulated in a standard port, clearly a firewall that can only set policies based on ports/protocols is inherently limiting," Rothman says. "So on that point, we agree with Palo Alto Networks. The question is how you get there. Firewalls plus IPS-based application rules can be a decent interim step as opposed to rip and replace, though this approach will have scaling issues.
"But there is no question application awareness on the firewall is a critical capability today and will be more important tomorrow," he adds. "We expect all the firewall vendors to be moving in this direction. Firewall admins will need to evolve as well, since setting application policies is totally different than setting ports/protocols-based policies."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.