Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:01 PM
Connect Directly

Next-Gen Firewalls Change The Rules Of Firewall Management

Added layers of complexity create even more interdependencies and need for systematic change management approach

As enterprises increasingly incorporate next-generation firewalls into their security repertoires, they are gaining a greater potential for more precise control over applications and user behavior at the perimeter. But there's potential for something else as well: added complexity by way of the increased odds for misconfiguration and change management mishaps. The odds increase even further if firewall management is already a problem in their traditional firewall portfolios.

"Firewalls have had problems since they were first introduced -- they are complex, their rules are technical, and it's as easy to end up with a messy firewall as it is to end up with a messy desk," says Mike Lloyd, CTO of RedSeal Networks. "These realities persist with 'next-generation' approaches. Operations still outrun the headlights on occasion, moving rapidly in response to business pressure, but making mistakes and leaving poor records. Debris still accumulates in the same ways it always has."

As Lloyd puts it, every additional security control adds complexity, and that's no different in the field of advanced firewalls.

"The infrastructure in which firewalls are used is inherently complex and operates at many levels at once. Thinking at an additional level -- for example, the app layer -- is good for some purposes, but does not cause the other levels to go away."

[Did you miss Black Hat USA? See Dark Reading's Black Hat coverage to catch up the highlights from talks and research presented at the show.]

According to a survey earlier in the year of more than 175 firewall managers conducted by firewall management firm AlgoSec, 56 percent reported that managing next-generation firewalls takes more work than traditional firewalls. Sam Erdheim, director of marketing for AlgoSec, says this boils down to two concerns. The first is figuring out what a next-generation firewall rule policy looks like compared to traditional firewall rule policies.

"You are inherently making things a little more complex because there's more granularity and more complexity goes hand-in-hand with that," he says. "You've got a greater volume of changes, and it'll potentially take a longer time to make those changes because they're different from what they used to."

The second complication is how to incorporate management of these policies across the network environment when mixed in with traditional firewalls that will still stay in place, and to do it without rewriting the way firewalls are managed altogether.

"Configurations of next-generation firewalls include new dimensions for defining how traffic can flow, but they are still expressed in a traditional way," says Gidi Cohen, CEO of Skybox Security. "As a result, organizations need to go through a long transition process where they need to define new corporate policies -- which often proves a lengthy and organizationally challenging process. They also may manage a dual approach where these organizations could still have traditional firewalls and next-generation firewalls working side by side for many years to come.

Firewall management firms such as RedSeal, AlgoSec, Skybox Security, and FireMon have generally incorporated management capabilities for next-gen products into their feature sets. But according to Erdheim and Jody Brazil, president and CTO of FireMon, organizations must first educate their staff and adjust the processes and policies that will run these tools in a next-gen environment. This will inevitably require a paradigm shift.

"When you're making that transition from the Layer 3 world to an application world, don't assume that all your old knowledge immediately transfers," Brazil says. "Take the time to get educated, go to the training classes, and train the administrators who are using it just so they don't get caught by some of those nuances."

Brazil explains that next-gen firewalls will introduce some unique issues that firewall administrators may not initially expect. For example, in a next-gen firewall from a firm like Palo Alto Networks, creating a rule as simple as allowing users to go to Facebook may not be so simple at first blush. As he explains, the firewall itself doesn't recognize the Web application as Facebook until the user has gone to the site, connected, and authenticated. Before that, it looks like standard HTTP, he says.

"Somewhere in your policy, you have to allow access out to the Internet with standard Web browsing or with port 80; otherwise that rule that says allow access to Facebook won't actually work," he says. "There are these relationships that now must coexist and, if they don't, access isn't allowed. It's a really simple example, yet it's the thing that bites administrators day in and day out. It creates some interesting complications."

Top of the list is that rather than simply managing port 80, an organization could feasibly be managing 1,500 applications or more.

"And for good reason -- we know that a lot of bad things can happen across port 80," he says. "But it increases complexity."

Similarly, complexity increases when organizations start enabling the tight integration between next-gen firewalls and Active Directory.

"The firewall team and the AD team don't talk to each other because they never needed to and had no reason to," Brazil says. "Now, all of a sudden, the daily life of that Active Directory administrator is changing the behavior of that firewall administrator without the firewall administrator knowing it."

That's because many of those firewall policies are tied to AD groups, which could be changed at a moment's notice by the AD team based on business needs. This could easily lead to a call from the AD team complaining of the firewall blocking access in spite of the firewall administrator never making changes on their end.

"And yet the firewall did change because somebody over in IT maybe said, 'We're going to restructure this AD group this way for application X," he says. "And it makes sense for application X, but they had no idea that it was going to have this impact on the firewall."

This is why organizations need to run before they walk when implementing next-gen firewalls, says Matt Keil, senior research analyst at Palo Alto Networks, who recommends a methodical approach to dealing with new policies and interdependencies.

"Moving to an application enablement focus requires a different way of thinking for security teams. If they are migrating, they will have many rules that are old and the use case is not defined," he says. "So the recommendation is to plan the move and implement it in a very methodical manner."

Keil says the transition can be a good opportunity to strengthen the relationship between the security team and business groups. He believes that this starts with three steps. First, organizations need to take inventory and learn the applications that are on the network, who their users are, and what the potential risks are for these applications. Step two is to meet with business groups to discuss the business needs of the found applications and the risks determined by IT to bring those needs into balance with a clear policy set. Step three is documentation.

"Document the agreed-upon policy, educate all users as such, enforce with technology, and periodically review the policy, updating it with new applications," Keil says.

As organizations are developing policies for future management, they must bear in mind that in spite of differences between traditional firewalls and next-gen firewalls, bad management and audit habits die hard no matter what type of firewall in use.

"The main mistake to avoid is copying bad audit habits forward. If you're traditionally auditing rule by rule, this is a bad approach and, indeed, can prevent you adopting new technologies as they come out," Lloyd says. "If audits are too rigid, your ability to respond to new threats is lost or compromised."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.