"Firewalls have had problems since they were first introduced -- they are complex, their rules are technical, and it's as easy to end up with a messy firewall as it is to end up with a messy desk," says Mike Lloyd, CTO of RedSeal Networks. "These realities persist with 'next-generation' approaches. Operations still outrun the headlights on occasion, moving rapidly in response to business pressure, but making mistakes and leaving poor records. Debris still accumulates in the same ways it always has."
As Lloyd puts it, every additional security control adds complexity, and that's no different in the field of advanced firewalls.
"The infrastructure in which firewalls are used is inherently complex and operates at many levels at once. Thinking at an additional level -- for example, the app layer -- is good for some purposes, but does not cause the other levels to go away."
[Did you miss Black Hat USA? See Dark Reading's Black Hat coverage to catch up the highlights from talks and research presented at the show.]
According to a survey earlier in the year of more than 175 firewall managers conducted by firewall management firm AlgoSec, 56 percent reported that managing next-generation firewalls takes more work than traditional firewalls. Sam Erdheim, director of marketing for AlgoSec, says this boils down to two concerns. The first is figuring out what a next-generation firewall rule policy looks like compared to traditional firewall rule policies.
"You are inherently making things a little more complex because there's more granularity and more complexity goes hand-in-hand with that," he says. "You've got a greater volume of changes, and it'll potentially take a longer time to make those changes because they're different from what they used to."
The second complication is how to incorporate management of these policies across the network environment when mixed in with traditional firewalls that will still stay in place, and to do it without rewriting the way firewalls are managed altogether.
"Configurations of next-generation firewalls include new dimensions for defining how traffic can flow, but they are still expressed in a traditional way," says Gidi Cohen, CEO of Skybox Security. "As a result, organizations need to go through a long transition process where they need to define new corporate policies -- which often proves a lengthy and organizationally challenging process. They also may manage a dual approach where these organizations could still have traditional firewalls and next-generation firewalls working side by side for many years to come.
Firewall management firms such as RedSeal, AlgoSec, Skybox Security, and FireMon have generally incorporated management capabilities for next-gen products into their feature sets. But according to Erdheim and Jody Brazil, president and CTO of FireMon, organizations must first educate their staff and adjust the processes and policies that will run these tools in a next-gen environment. This will inevitably require a paradigm shift.
"When you're making that transition from the Layer 3 world to an application world, don't assume that all your old knowledge immediately transfers," Brazil says. "Take the time to get educated, go to the training classes, and train the administrators who are using it just so they don't get caught by some of those nuances."
Brazil explains that next-gen firewalls will introduce some unique issues that firewall administrators may not initially expect. For example, in a next-gen firewall from a firm like Palo Alto Networks, creating a rule as simple as allowing users to go to Facebook may not be so simple at first blush. As he explains, the firewall itself doesn't recognize the Web application as Facebook until the user has gone to the site, connected, and authenticated. Before that, it looks like standard HTTP, he says.
"Somewhere in your policy, you have to allow access out to the Internet with standard Web browsing or with port 80; otherwise that rule that says allow access to Facebook won't actually work," he says. "There are these relationships that now must coexist and, if they don't, access isn't allowed. It's a really simple example, yet it's the thing that bites administrators day in and day out. It creates some interesting complications."
Top of the list is that rather than simply managing port 80, an organization could feasibly be managing 1,500 applications or more.
"And for good reason -- we know that a lot of bad things can happen across port 80," he says. "But it increases complexity."
Similarly, complexity increases when organizations start enabling the tight integration between next-gen firewalls and Active Directory.
"The firewall team and the AD team don't talk to each other because they never needed to and had no reason to," Brazil says. "Now, all of a sudden, the daily life of that Active Directory administrator is changing the behavior of that firewall administrator without the firewall administrator knowing it."
That's because many of those firewall policies are tied to AD groups, which could be changed at a moment's notice by the AD team based on business needs. This could easily lead to a call from the AD team complaining of the firewall blocking access in spite of the firewall administrator never making changes on their end.
"And yet the firewall did change because somebody over in IT maybe said, 'We're going to restructure this AD group this way for application X," he says. "And it makes sense for application X, but they had no idea that it was going to have this impact on the firewall."
This is why organizations need to run before they walk when implementing next-gen firewalls, says Matt Keil, senior research analyst at Palo Alto Networks, who recommends a methodical approach to dealing with new policies and interdependencies.
"Moving to an application enablement focus requires a different way of thinking for security teams. If they are migrating, they will have many rules that are old and the use case is not defined," he says. "So the recommendation is to plan the move and implement it in a very methodical manner."
Keil says the transition can be a good opportunity to strengthen the relationship between the security team and business groups. He believes that this starts with three steps. First, organizations need to take inventory and learn the applications that are on the network, who their users are, and what the potential risks are for these applications. Step two is to meet with business groups to discuss the business needs of the found applications and the risks determined by IT to bring those needs into balance with a clear policy set. Step three is documentation.
"Document the agreed-upon policy, educate all users as such, enforce with technology, and periodically review the policy, updating it with new applications," Keil says.
As organizations are developing policies for future management, they must bear in mind that in spite of differences between traditional firewalls and next-gen firewalls, bad management and audit habits die hard no matter what type of firewall in use.
"The main mistake to avoid is copying bad audit habits forward. If you're traditionally auditing rule by rule, this is a bad approach and, indeed, can prevent you adopting new technologies as they come out," Lloyd says. "If audits are too rigid, your ability to respond to new threats is lost or compromised."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.