Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/3/2009
05:23 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Compliance Pressures Fuel Adoption Of Firewall Auditing Tools

PCI, staffing cuts are driving organizations to rein in their firewall policies and change processes with automation tools

Misconfigured firewalls are more common than you'd think: With the massive number of firewall rules that accrue in a large network and the typically manual process, mistakes happen, and often.

But with increasing pressures in compliance and budget cuts, the relatively young firewall auditing and management market has been quietly catching fire as a way to get a handle on firewall policies and to automate a traditionally laborious and error-prone process.

"There are tens of thousands of Cisco firewall rules," says Jody Brazil, Secure Passage president and CTO. And that's just for Cisco firewalls -- organizations with a mix of vendors' firewalls have even more challenges tracking policies and how they interact, and the mix of functions in today's firewalls (think IPS) also complicate configuration. "The complexity makes it impossible to understand what you've got deployed in the environment," Brazil says. "People are failing audits."

In most data breach investigations, misconfigured firewalls are found in the victimized network -- as many as 80 percent, according to a newly released report by Forrester Research (PDF) that points to data from PCI auditing firms and credit card brands.

The danger of a misconfigured firewall or the inability to track changes, of course, is a hole left open to the network either because it has been overlooked or because one policy change inadvertently conflicted with another. "Any rogue firewall admin can give himself or herself access," says John Kindervag, a senior analyst with Forrester.

Enterprises, meanwhile, are finding auditors cracking down on firewalls, looking for more detailed information about their policies and change management. The Payment Card Initiative (PCI) Requirement 1.1.6 specifically calls for an audit of firewall and router rules at least every six months. That PCI requirement is the biggest driver for enterprises adopting firewall auditing tools, Kindervag says. They need the tools because they haven't properly maintained and managed their firewall rule sets, which are "now too unwieldy to deal with," he says. Forrester is seeing an increase in the adoption of these tools, he says.

Todd Ferguson, enterprise information security architect for Raymond James, which runs Secure Passage's FireMon auditing tool, says firewall audits used to be just a "checkbox," but no more.

"Auditors are more technical now, and more detailed, looking down to the policy change management information of what went with what, who owns it, when was it [set, etc.]," Ferguson says. "We had ended up with three areas for storing [firewall] policy...It was a challenge to keep them updated and in sync."

Ferguson says the Firemon auditing tool includes a rule-writing scanner that keeps policies "in good condition." He says a workflow function would be helpful, as well, which ties into the "who" in the policy or rule, he says. Secure Passage recently rolled out version 5.0 of its FireMon product, which, among other features, documents the life cycle of a rule and provides a PCI compliance framework.

Firewall auditing tools also give IT and network security teams a way to put some of the policies back into the hands of the business side. "[Before] at the end of the day, my name was on every single firewall policy. But these tools are letting me put the ownership back on the business."

So if the finance group needed a port opened for a Bloomberg feed, then they would have to justify it; once the feed contract was up and they no longer needed access through that port, they would have to justify the firewall rule to keep it opened, he says.

Ruvi Kitov, CEO for Tufin Software Technologies, which he and other ex-Check Point Software engineers founded, says he and his colleagues saw a need for firewall management. "PCI is a huge driver for customers who don't want to make any changes in their [policies] that make them noncompliant," Kitov says. "Another huge driver is automation. If you have a quarterly PCI audit, you can do it in a half an hour [with Tufin's product]."

So far, the big firewall players have stuck with providing management for their own tools, and only Check Point has some firewall auditing features in its Eventia product, according to Forrester. "If a major vendor wants to get into this, they would probably just buy one of the start-ups," Kindervag says. "They probably won't venture very far here, as it will require them to support other vendors in most cases."

Among the vendors in this market are AlgoSec, Athena Security, LogLogic, ManageEngine, Matasano Security, RedSeal Systems, Secure Passage, Skybox Security, and Tufin.

It remains to be seen, however, just how these tools will be integrated with other security management products, such as SIM/SIEM. And they add yet another management tool for enterprises to use and monitor. At least one vendor, LogLogic, integrates with SIEM tools. But it may not be as attractive for vendors to integrate as it is for customers: "I would hope that these tools evolve into full management suites that include SIM, device configuration, and threat modeling features. Vendors may be economically disincented to do so, however," Kindervag says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17667
PUBLISHED: 2019-10-17
Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML injection via the Site Name (aka SiteName) field.
CVE-2019-17666
PUBLISHED: 2019-10-17
rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
CVE-2019-17607
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
CVE-2019-17608
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.
CVE-2019-17609
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.