Poorly Managed Firewall Rule Sets Will Flag An Audit

  /     /     /  
Publicated : 22/11/2024   Category : security


Poorly Managed Firewall Rule Sets Will Flag An Audit


Auditors and compliance managers alike are depending on firewall management principles and tools to cut through the complexity



As the complexity of the IT topography continues to increase along with the number of firewalls deployed, the typical enterprise firewall rule set stands as a confusing rats nest of contradictions and insecure configurations.
Not only does the state of these rules expose enterprises to undue risk, it inevitably throws it out of compliance. Auditors are getting wise to the problems posed by unmanaged firewall rules. Heres why you should, too.
Firewalls arent going anywhere.
The predicted demise of the firewall from security pundits several years ago may have been a bit, shall we say, premature. Today, not only does the firewall still stand as one of the most ubiquitous security tools deployed within the enterprise, but most organizations are doubling down on their firewall strategies with the advent of the next-generation firewall.
Firewalls arent going away. If anyone says they are, then how can they explain Palo Alto going [public] and firewall vendors continuing to make tons of money hand-over-fist? says Sam Erdheim, director of marketing at AlgoSec. If anything, were seeing the evolution of firewalls, next-gen, and Web application firewalls, and that sort of thing. But the concept of the firewall is still there and thats not changing anytime soon.
But the growing irony is that even though the lowly firewalls renovation of its rep within the security world has largely been driven by compliance mandates such as PCI, the growth in volume of firewalls within the enterprise often stands to put organizations at even more risk of failing a security audit.
The core of network complexity begins with a firewall. If you speak to a compliance manager thats not technical, or you speak to management who has been told that they are in compliance and therefore secure, everythings good, says Kevin Beaver, founder and principal information security consultant for Principle Logic. Everythings hunky-dory, were secure, and [theres] nothing to worry about -- alls well in IT. Then you go in and test any given environment. You can even look at the firewall rule base and point out all sorts of flaws: system configuration, weak passwords, network segments that shouldnt be talking to one another, and ports that are open. I often see database servers that are sitting out on the public Internet wide open for attack.
State of the rule set: shambles.
So how has the current rule set broken down? Its kind of like the old quote from Hemingway: It happened two ways, gradually, then suddenly. First, the slow devolution. As security consultant and auditor Mark Jones puts it, because so many firewalls have been in place for so long, network administrators have built up an accumulation of hastily devised rules to satisfy business needs on-the-fly.
On an average week, inside an enterprise-type business out there, a Fortune 500 [is] making anywhere from 10 to 15 changes a week to their firewall, says Jones, CEO of SOS Security, explaining that many of these are made when a line-of-business leader needs an exception to be made to address an immediate critical business need. Its such a hasty decision, and its rarely followed back up on to make the change back to where the firewall was before.
The culmination of many years of these hasty decisions has snowballed, says Michael Hamelin, chief security architect and evangelist for Tufin Technologies.
Around 15 or 16 years ago when I started, we talked about the top 10 rules you should see in your firewall. I remember an article with that title, Hamelin says. Today, most firewalls have hundreds, if not thousands, of rules, and its not unusual to have firewalls with tens of thousands. Even a couple of customers I know have are over 100,000.
And the advent of the next-generation firewall is likely to just make the complexity even worse, Erdheim says.
Its not like theyre ripping out all their traditional firewalls and replacing them with next-gen firewalls. What theyre probably doing is strategically putting in next-gen firewalls in certain segments of the network where they need that granular control, he says. So then youve got different types of firewalls in your environment from different vendors. So how do you pull all those things together? If you dont have some way to standardize or normalize the management of these different firewalls, then you basically have to have a separate resource just to manage the next-gen firewalls -- in addition to all the time to manage the rest of the firewalls.
Human mind cant handle the scale.
As the number of rules within the typical enterprise firewall environment increases exponentially, its becoming increasingly apparent that manual management of firewall configurations arent going to fly anymore. The human brain simply cant handle the scale, Hamelin says.
The sheer number of rules becomes a complexity that is well more than you can deal with as a human, he says. We like to say our human brains are pretty good, but I think 65,000 lines printed on paper -- just at the average reading rate if you read it from beginning to end -- is about 40 hours of reading of over 1,000 pages. You cant audit and understand the compliance of that from end to end.
As a result of this problem, consulting and auditing firms such as Principle Logic and SOS Security have taken to using automated firewall management tools to uncover firewall rule problems that would have otherwise gone undetected by manual methods.
Just recently, I was working on an assessment where we ended up using the AlgoSec firewall analyzer product, and we uncovered some issues that the external assessment didnt find, Beaver says. Neither did the internal assessment, but these were big issues. These were not like default settings, but really basic, stupid configuration issues -- things that could have been exploited by a malicious insider, an outsider, whatever.
Jones, for his part, uses Tufins tool to such great effect that every assessment his firm has done has found critical issues that needed to be addressed. They find out that their rule base is in such shambles that they often say, Hey, not only do we need to do this annually, we probably need to do it every quarter, Jones says.
According to Jones, not only are there compliance benefits to such a practice, but the residual operational benefits are nothing to sniff at, either.
The throughput on their firewalls run so much cleaner and so much faster to where firewall administrators who once said, We need to upgrade the firewall, realizes that its not that they needed new firewalls, its just that they had too many damned rules, Jones says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Poorly Managed Firewall Rule Sets Will Flag An Audit