Stated Inspection: The Future of the Firewall




What’s the future of the network firewall?

While at first glance this may not seem like the most cutting-edge or controversial question facing the IT security industry, further inspection (forgive the pun) reveals that future evolution of the firewall remains one of the most significant issues we face.

For evidence of how central firewalls remain within enterprise security strategy, consider that Gartner reports that roughly 51 percent of the 1,500 network security calls received by their analysts during the first half of 2014 were directly related to firewalls – on topics ranging from platform migration to policy management, to adoption of next generation devices.

In July, Ellen Messmer filed this piece in Network World which debates the evolution of firewalls related to cloud computing and quotes a wide range of industry experts, serving as further proof of the topic’s relevance.

For over 20 years, the firewall has served a central component of information security, representing a first line of defense in controlling access to limit risk. To this day, it remains the most successful “whitelist” security solution ever deployed, designed to permit acceptable traffic and stand as a default in denying everything that is not.

In contrast to systems including IDS, IPS, anti-virus and other malware-centric technologies that attempt to keep up with attackers by attempting to identify, adapt-to and prevent the latest attacks, the firewall has remained a stalwart element of enterprise defense, while changing in its own right to address these same issues.

Firewalls also represent the largest product segment of the network security industry, with Gartner predicting over $9 billion in worldwide sales in 2014 alone, and customers dedicating over half of their entire IT budget on security projects in general.

As such, any significant changes affecting the firewall market will clearly have a significant impact on customer planning, the IT industry and the makeup of enterprise security in general.

Meanwhile, ongoing platform evolution including mobile computing, cloud services and other trends that blur the lines between what exists “inside” and “outside” the typical enterprise network is making the traditional concept of maintaining “walls” between networks, and the future role of the firewall, even more difficult to define.

As debated in Messmer’s story, cloud computing – where critical applications and data are running outside the traditional data center – will redefine where, and in some cases how, access must be controlled.

Virtualization also continues to change how, and how quickly, new systems and applications can be deployed, thereby affecting the effectiveness and manageability of traditional firewalls.

Shifts in networking technology, in particular SDN, promise other dynamic changes to network management, and how security is deployed in those networks.

And perhaps most significantly, threats continue to evolve, challenging the notion that a network firewall can effectively defend organizations against them.

In the coming weeks and months, through this “Future of the Firewall” blog series, we’ll be engaging key thought leaders – including practitioners, analysts and other informed observers – to share their vision and address many of these issues.

Where is the future of the firewall headed this year, or 5 years into the future? How will firewalls continue to evolve and how do these experts believe this change should, and might occur?

There is no question that the future of the firewall will have a significant impact on the future of IT security, risk management and compliance initiatives.

We encourage you to join the conversation and share your thoughts, and we look forward to reading your comments. We invite you to subscribe to our blog to keep up with the latest posts of our new series.


About Jody Brazil

As Founder and CEO of FireMon, Jody Brazil is a seasoned entrepreneur with more than two decades of executive management experience and deep domain expertise in all aspects of networking, including network security design, network security assessment, and security product implementation. Before joining FireMon in 2004, Brazil spent eight years at FishNet Security, serving as Chief Technology Officer, where he was responsible for providing direction for solutions to their customers. Previously, he was president and founder of Beta Technologies, a Network Services and Internet Application Development company. A few of Brazil’s major accomplishments include his implementation of the first load balanced deployment of Check Point firewall software in 1997. A year later he engineered the security solution that allowed, for the first time, the transfer of criminal history data over the Internet as approved by the FBI. Brazil then released the first ever graphical firewall policy change view in 2001 and the first ever firewall rule usage analysis application in 2004.

THE IMPACT OF COMPLEX FIREWALLS – Is firewall complexity expensive?




High profile data breaches in major US retailers are becoming more prevalent. While there are many defensive strategies, did you know that there are some simple steps that can help prevent similar attacks? Maintaining proper segmentation of critical business assets and having effective controls in place can make all the difference.

And that starts with getting your firewall under control.

Check out this recent infographic which sheds some light on the impact of complex firewalls. Learn:

  • The top three reasons why rule bases are out of control;
  • What the impact is on staffing, compliance and security; and
  • How automation is helping to solve these problems.

Continue Reading →

About Ty Murphy

Ty Murphy; web architect and online marketing engineer.

Configuration Confrontation – Network Security’s Biggest Challenge




As numerous breach incidents have emphasized, the inability of organizations to properly configure existing defenses remains arguably their most significant network security challenge.

With the Target breach standing as perhaps the best example – as attackers subsequently infiltrated the retailer’s point-of-sale data after gaining access to other areas of the network – the problem has been reinforced in a number of high-profile incidents.

R7.blog.logo

This week, noteworthy vulnerability researcher H.D. Moore, perhaps best known as founder of the Metasploit pen testing platform, brought even greater attention to this issue, releasing new findings regarding a previously unreported firewall configuration issue that could expose many organizations to potential compromise.

The research, which affects organizations using devices made by Palo Alto Networks, a leader in the space, further highlights the fact that it is the challenge practitioners face in properly configuring such defenses – not vulnerabilities in those products – that remains so pervasive and troublesome.

As first detailed by Moore in a blog post and reported in news outlets including the U.K.-based Register, the issue involves misconfigured user identities set up for Palo Alto Networks firewalls that “leak” information onto the Web, exposing underlying services.

With VPN and webmail services among those affected, the issue revolves around possible credential exposure when Palo Alto Networks customers have improperly configured User-ID to enable WMI probing on external/untrusted zones, resulting in the User-ID agent sending these probes to external/untrusted hosts.

To its credit, Palo Alto quickly posted an advisory and associated best practices guidelines to help organizations address the issue. Vulnerability management specialists Rapid7, which purchased Metasploit five years ago and remains Moore’s employer, also posted an advisory.

By no coincidence, Palo Alto and Rapid7 are among FireMon’s closest technology and business partners. This is because we work with these companies every day to help customers identify and remediate precisely the type of issues highlighted by Moore’s ingenious research.

Network and applications vulnerabilities remain a huge problem, as do cutting-edge attacks. However, as illustrated by the Target breach, countless other incidents and the details of Moore’s latest work, erroneous and unseen configuration issues within network security infrastructure remain just as significant of a problem. And even better, one that when identified can be rapidly addressed.

The revealed Palo Alto firewall “vulnerability” isn’t a flaw at all but rather an opportunity for risk created by the complexity of firewall configuration and the lack of visibility that many practitioners retain into their current alignment – an issue intensified within large enterprises.

These are the very network security management challenges that led to the initial invention and continued advancement of FireMon Security Manager. Working alongside partners including Palo Alto and Rapid7, among many others, we help our customers identify and mitigate such issues.

In response to Moore’s research, FireMon immediately created a new custom audit check within Security Manager that allows organizations to analyze their Palo Alto firewalls to identify and check that user identification lookups are not allowed on public facing zones.

To be honest, doing so was almost painfully simple, because this is exactly what FireMon was designed to do!

As FireMon has been publicizing for many years – the level of complexity and change affecting configuration of network firewalls remains perhaps the greatest challenge facing network security practitioners.

If you’re concerned that the newly reported Palo Alto issue, or any of the countless configuration challenges affecting every manner of network firewall, may affect your organization, take a closer look at FireMon.

We help customers gain visibility into and control over this very type of problem. It’s what we do. It’s why we’re here. Learn more about our solutions, today.

About Matt Hines

Matt Hines leads product marketing efforts at FireMon. Prior to joining FireMon, Hines held similar roles at TaaSERA, RedSeal Networks and Core Security Technologies, and worked for over a decade as a journalist covering the IT security space for publishers including IDG, Ziff-Davis, CNET and Dow Jones & Co.

Industry News – Advancing Network Threat Intelligence




When FireMon re-positioned itself around the concept of Proactive Security Intelligence at the beginning of 2014, the effort was undertaken with the notion of highlighting the critical role that data produced by our solutions plays in managing enterprise security and IT risk.

Sure, if you want to start at the most foundational element of the processes we support, as many of our customers do, it can be stated as simply as firewall management – getting a clear understanding of what network security device infrastructure is doing, then improving the performance and efficiency of those defenses, continuously.

cyber.threat.alliance

However, the truth is, “firewall management” is a far too narrow a manner of communicating the overall value of what the FireMon Security Manager Platform and its supporting modules offer in terms of strategic information, thus the new messaging.

With all the intelligence that we produce regarding policy workflow, compliance validation and risk management, along with enablement of related process automation, we felt it was far more appropriate, if not completely defensible, to adopt this broader PSI mantra.

Intelligence, of course, has evolved into a very broad and encompassing industry buzzword, popular among security vendors of all breeds who feel that they provide some form of critical data to inform strategic decision making – which admittedly could be almost any company on the landscape today.

Of all the various uses of intelligence, clearly, the most widely recognized arena (perhaps beyond long-standing ties to the SIEM market) these days is that of “threat intelligence”, or the real-time aggregation and distribution of information regarding emerging attacks to help both products and practitioners respond more adeptly as threat-scape conditions evolve.

So, it’s with keen interest that we at FireMon saw the news this week that industry heavyweights Fortinet, McAfee and Palo Alto Networks, all of whom are close partners of ours, announced a new high-profile effort (along with endpoint experts Symantec) to drive threat intelligence even deeper into the domain of network protection.

Some may roll their eyeballs at the introduction of yet another pan-industry coalition, but this is a pretty influential group in our world, and as such the launch of the involved “Cyber Threat Alliance” is certainly intriguing.

The reason is simple. Of all the uses that a product maker or practitioner could find for the latest and most comprehensive information regarding emerging threats, using that intelligence to assure that network defenses are in place and assets are effectively segmented is certainly one of them – a case echoed in the accompanying research white paper launched by the new coalition.

As highlighted by McAfee EMEA and Canada President Gert-Jan Schenk in the related announcement, the unprecedented rate and severity of recent breach incidents has come at the hand of “complex and multidimensional attacks” that dictate attention far beyond installation of more effective anti-malware systems at the network gateway or on endpoint devices.

Given that we’ve long stumped for the need to use current, in-depth visibility into the real-world alignment of network defenses, in relation to underlying assets and known vulnerabilities, to address risk exposure and mitigate available attack paths, this effort on the part of our partners, industry leaders all, is definitely something FireMon would support, heartily.

As our self-appointed corner of the market – Network Security Intelligence – continues to evolve and we move to help organizations better align their defenses to account for emerging attacks it will be fascinating to see how threat intelligence continues to shape methodologies.

We’ll continue striving to be at the forefront, working with these types of thought leaders to enable more effective defense.

About Matt Hines

Matt Hines leads product marketing efforts at FireMon. Prior to joining FireMon, Hines held similar roles at TaaSERA, RedSeal Networks and Core Security Technologies, and worked for over a decade as a journalist covering the IT security space for publishers including IDG, Ziff-Davis, CNET and Dow Jones & Co.

Black Hat 2014: RSA in the Desert?




I’ve been attending the Black Hat Security Conference in Las Vegas for almost a solid decade now, and if there’s one thing that’s for sure, it’s that the conference continues to evolve.

Given, when I first started attending Black Hat those many years ago, it was not as a marketing rep for a security software vendor, but as a reporter attempting to get my head around the emerging threat/exploit landscape.

black.hat.2014

However, even if my time is no longer spent attending sessions, and trying (with varying degrees of success) to understand what is being presented, a walk across this year’s show floor clearly evidences the continued shift towards a more business-centric audience.

This is nothing new, of course, as hardcore Black Hat attendees have been decrying the show’s evolution into more of an “RSA in the desert” for years. However, it’s clear that with each passing summer this change becomes ever more the reality.

When I was working for pen testing specialists Core Security in 2008, it was clear that ethical hackers, primarily researchers, still made up a huge swath of the Black Hat audience; this no longer would appear to be the case.

Certainly it has a lot to do with spending more time in the vendor exhibition space, but with each year I see more corporations and government agencies listed on attendees’ badges, and fewer humorous attempts to dodge identification (though we do have several “ninjas” and at least one “director of rainbows and unicorns” listed among our 2014 badge scans).

As I was discussing this phenomenon with longtime industry guru Alan Shimel (currently of the CISO Group and Security Bloggers Network) we were debating the potential upsides and downsides.

First off, neither of us would debate that there’s still a wealth of extremely valuable research on the Black Hat schedule, and I can’t even make the claim in recent years of attending many of these sessions.

Another key component to consider is that there are the sister DEF CON and parallel B-Sides Las Vegas shows, which cater directly and almost exclusively to ethical hackers and focusing almost solely on research, allowing Black Hat to grow more… corporate.

You also have the phenomenon of people who started out as Black Hat researchers who are now focused more on the business side of things, having built vital companies out of the expertise they used to share as conference presenters (the guys from White Hat Security are a fitting and high-profile example).

As noted above, one of the other significant changes in Black Hat attendance is the ever-increasing number of government attendees. In years past there may have been a lot of Red Team/Blue Team types – and likely still are – but today, there’s an overwhelming number of state and federal security officials in attendance – with their names and titles displayed openly on their badges (another notable shift).

My impression is that many of the people who first came to Black Hat – and now may spend more time at Def Con or B-Sides – may disparage the show’s change in interests, arguing that the event is now too focused on the business side.

However, for companies like FireMon this shift has obviously made the event even more valuable, providing us with another fantastic opportunity to connect with existing customers and new prospects to tell them more about what our solutions can do.

Is the change good? Is it bad? That’s for each individual to decide on their own, but as Alan and I eventually agreed, it’s really just a natural evolution as hacking and ethical research continue to mature and become an even bigger element of enterprise security.

No matter how you slice it, Black Hat continues to serve as an ideal venue for numerous elements of the security community to connect. No matter what changes come it’s always a pleasure to be there.

About Matt Hines

Matt Hines leads product marketing efforts at FireMon. Prior to joining FireMon, Hines held similar roles at TaaSERA, RedSeal Networks and Core Security Technologies, and worked for over a decade as a journalist covering the IT security space for publishers including IDG, Ziff-Davis, CNET and Dow Jones & Co.

For Security to Succeed We Need More Silo-busting




In my role as editor-in-chief of DevOps.com I hear, read and write a lot about the need for all of the various constituents of IT to work more closely together. As such, I’m always happy to hear about a company’s efforts at silo-busting. So when I saw Javvid Malik’s report (can we give link) on FireMon’s new Policy Optimizer and its ability to bust down silos, I’ll admit it brought a smile to my face.silos

Malik’s report talks about Policy Optimizer breaking down existing silos across different sectors of IT in determining what firewall rules are either out of date, no longer necessary or even  security risks. Much of this silo busting is accomplished via automation. Again, this is music to a DevOps advocate’s ears.

Why is all of this silo busting and automation so important? The short, real world answer is that today’s speed of business will accept nothing less. A more detailed answer is in a world:

  • where changes – including changes to code – happen multiple times a day,
  • where “web-scale IT” measures servers and instances in the tens of thousands
  • where security must keep up or be left behind,
  • where automation and working closely with developers, operations and QA is no longer an option, but a necessity

Breaking down silos is a key ingredient in success.

I’ve been hearing that we need security to be “built in, not bolted on” almost since I first became involved in the security industry over 15 years ago; that security needs a seat at the IT table.  Policy Optimizer is just the kind of solution that fulfills this specific need. It provides the means for security to work with the rest of the IT team in a way that makes sense and allows business to move forward with the velocity it needs.

Now before we declare “mission accomplished”, let’s not get ahead of ourselves. We still have a long way to go to better integrate security into IT and truly bust down the involved silos. We need developers to have a greater sense of ownership when developing secure applications. Just thinking firewalls for a second, it would be great if developers gave some thought as to who, when and what types of access users will require when building an application. Giving developers a say in setting firewall rules, for instance, makes sense.

Beyond the development team, how about working closer with the Ops folks too? Who knows the network better? Far too often the Ops team resides in a different silo than security teams and they thereby seem to work at loggerheads.

Again, this is why I like tools like FireMon’s Policy Optimizer and Risk Analyzer. They give Ops insight into security decisions and policies.  Ops shouldn’t feel that security and risk strategies are devised using black magic. Shining a light on why security decisions are made, giving Ops input into the process is how you get buy in, how you really break down silos. Most importantly how we can tangibly change our security posture for the better.

For some organizations this is still a very alien concept. Security teams are almost thought of as audit teams and are purposely set apart from the rest of IT. To me, this perpetuates a culture of failure around security. All you have to do is glance at the headlines on a regular basis to see that the old way of separate security teams is not working. We need new, more effective solutions. These solutions have to take into account the new way of business. Megatrends like Big Data, the cloud and mobility have fundamentally changed the equation for many businesses. If security is to be relevant, it must adapt and evolve.

For me, breaking down the silos around the security team sounds the death knell of standalone security teams. I look forward to the day when instead of having a standalone security team, everyone in the IT department is part of the security team.  I don’t know if that will happen in my lifetime, but every step along the way, such as Policy Optimizer, is a step in the right direction.

As EShimelditor-in-chief of DevOps.com, a regular contributor to Network World, manager of the Security Bloggers Network and Chief Executive Officer at The CISO Group, Alan Shimel is attuned to the world of technology, particularly cloud, security and open source. Prior to his current positions, Alan was the co-founder and Chief Strategy Officer at StillSecure. Shimel is an often-cited personality in the security and technology community and is a sought-after speaker at industry and government conferences and events.