Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:23 PM
Connect Directly

Compliance Pressures Fuel Adoption Of Firewall Auditing Tools

PCI, staffing cuts are driving organizations to rein in their firewall policies and change processes with automation tools

Misconfigured firewalls are more common than you'd think: With the massive number of firewall rules that accrue in a large network and the typically manual process, mistakes happen, and often.

But with increasing pressures in compliance and budget cuts, the relatively young firewall auditing and management market has been quietly catching fire as a way to get a handle on firewall policies and to automate a traditionally laborious and error-prone process.

"There are tens of thousands of Cisco firewall rules," says Jody Brazil, Secure Passage president and CTO. And that's just for Cisco firewalls -- organizations with a mix of vendors' firewalls have even more challenges tracking policies and how they interact, and the mix of functions in today's firewalls (think IPS) also complicate configuration. "The complexity makes it impossible to understand what you've got deployed in the environment," Brazil says. "People are failing audits."

In most data breach investigations, misconfigured firewalls are found in the victimized network -- as many as 80 percent, according to a newly released report by Forrester Research (PDF) that points to data from PCI auditing firms and credit card brands.

The danger of a misconfigured firewall or the inability to track changes, of course, is a hole left open to the network either because it has been overlooked or because one policy change inadvertently conflicted with another. "Any rogue firewall admin can give himself or herself access," says John Kindervag, a senior analyst with Forrester.

Enterprises, meanwhile, are finding auditors cracking down on firewalls, looking for more detailed information about their policies and change management. The Payment Card Initiative (PCI) Requirement 1.1.6 specifically calls for an audit of firewall and router rules at least every six months. That PCI requirement is the biggest driver for enterprises adopting firewall auditing tools, Kindervag says. They need the tools because they haven't properly maintained and managed their firewall rule sets, which are "now too unwieldy to deal with," he says. Forrester is seeing an increase in the adoption of these tools, he says.

Todd Ferguson, enterprise information security architect for Raymond James, which runs Secure Passage's FireMon auditing tool, says firewall audits used to be just a "checkbox," but no more.

"Auditors are more technical now, and more detailed, looking down to the policy change management information of what went with what, who owns it, when was it [set, etc.]," Ferguson says. "We had ended up with three areas for storing [firewall] policy...It was a challenge to keep them updated and in sync."

Ferguson says the Firemon auditing tool includes a rule-writing scanner that keeps policies "in good condition." He says a workflow function would be helpful, as well, which ties into the "who" in the policy or rule, he says. Secure Passage recently rolled out version 5.0 of its FireMon product, which, among other features, documents the life cycle of a rule and provides a PCI compliance framework.

Firewall auditing tools also give IT and network security teams a way to put some of the policies back into the hands of the business side. "[Before] at the end of the day, my name was on every single firewall policy. But these tools are letting me put the ownership back on the business."

So if the finance group needed a port opened for a Bloomberg feed, then they would have to justify it; once the feed contract was up and they no longer needed access through that port, they would have to justify the firewall rule to keep it opened, he says.

Ruvi Kitov, CEO for Tufin Software Technologies, which he and other ex-Check Point Software engineers founded, says he and his colleagues saw a need for firewall management. "PCI is a huge driver for customers who don't want to make any changes in their [policies] that make them noncompliant," Kitov says. "Another huge driver is automation. If you have a quarterly PCI audit, you can do it in a half an hour [with Tufin's product]."

So far, the big firewall players have stuck with providing management for their own tools, and only Check Point has some firewall auditing features in its Eventia product, according to Forrester. "If a major vendor wants to get into this, they would probably just buy one of the start-ups," Kindervag says. "They probably won't venture very far here, as it will require them to support other vendors in most cases."

Among the vendors in this market are AlgoSec, Athena Security, LogLogic, ManageEngine, Matasano Security, RedSeal Systems, Secure Passage, Skybox Security, and Tufin.

It remains to be seen, however, just how these tools will be integrated with other security management products, such as SIM/SIEM. And they add yet another management tool for enterprises to use and monitor. At least one vendor, LogLogic, integrates with SIEM tools. But it may not be as attractive for vendors to integrate as it is for customers: "I would hope that these tools evolve into full management suites that include SIM, device configuration, and threat modeling features. Vendors may be economically disincented to do so, however," Kindervag says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...