Stated Inspection: The Future of the Firewall




What’s the future of the network firewall?

While at first glance this may not seem like the most cutting-edge or controversial question facing the IT security industry, further inspection (forgive the pun) reveals that future evolution of the firewall remains one of the most significant issues we face.

For evidence of how central firewalls remain within enterprise security strategy, consider that Gartner reports that roughly 51 percent of the 1,500 network security calls received by their analysts during the first half of 2014 were directly related to firewalls – on topics ranging from platform migration to policy management, to adoption of next generation devices.

In July, Ellen Messmer filed this piece in Network World which debates the evolution of firewalls related to cloud computing and quotes a wide range of industry experts, serving as further proof of the topic’s relevance.

For over 20 years, the firewall has served a central component of information security, representing a first line of defense in controlling access to limit risk. To this day, it remains the most successful “whitelist” security solution ever deployed, designed to permit acceptable traffic and stand as a default in denying everything that is not.

In contrast to systems including IDS, IPS, anti-virus and other malware-centric technologies that attempt to keep up with attackers by attempting to identify, adapt-to and prevent the latest attacks, the firewall has remained a stalwart element of enterprise defense, while changing in its own right to address these same issues.

Firewalls also represent the largest product segment of the network security industry, with Gartner predicting over $9 billion in worldwide sales in 2014 alone, and customers dedicating over half of their entire IT budget on security projects in general.

As such, any significant changes affecting the firewall market will clearly have a significant impact on customer planning, the IT industry and the makeup of enterprise security in general.

Meanwhile, ongoing platform evolution including mobile computing, cloud services and other trends that blur the lines between what exists “inside” and “outside” the typical enterprise network is making the traditional concept of maintaining “walls” between networks, and the future role of the firewall, even more difficult to define.

As debated in Messmer’s story, cloud computing – where critical applications and data are running outside the traditional data center – will redefine where, and in some cases how, access must be controlled.

Virtualization also continues to change how, and how quickly, new systems and applications can be deployed, thereby affecting the effectiveness and manageability of traditional firewalls.

Shifts in networking technology, in particular SDN, promise other dynamic changes to network management, and how security is deployed in those networks.

And perhaps most significantly, threats continue to evolve, challenging the notion that a network firewall can effectively defend organizations against them.

In the coming weeks and months, through this “Future of the Firewall” blog series, we’ll be engaging key thought leaders – including practitioners, analysts and other informed observers – to share their vision and address many of these issues.

Where is the future of the firewall headed this year, or 5 years into the future? How will firewalls continue to evolve and how do these experts believe this change should, and might occur?

There is no question that the future of the firewall will have a significant impact on the future of IT security, risk management and compliance initiatives.

We encourage you to join the conversation and share your thoughts, and we look forward to reading your comments. We invite you to subscribe to our blog to keep up with the latest posts of our new series.


About Jody Brazil

As Founder and CEO of FireMon, Jody Brazil is a seasoned entrepreneur with more than two decades of executive management experience and deep domain expertise in all aspects of networking, including network security design, network security assessment, and security product implementation. Before joining FireMon in 2004, Brazil spent eight years at FishNet Security, serving as Chief Technology Officer, where he was responsible for providing direction for solutions to their customers. Previously, he was president and founder of Beta Technologies, a Network Services and Internet Application Development company. A few of Brazil’s major accomplishments include his implementation of the first load balanced deployment of Check Point firewall software in 1997. A year later he engineered the security solution that allowed, for the first time, the transfer of criminal history data over the Internet as approved by the FBI. Brazil then released the first ever graphical firewall policy change view in 2001 and the first ever firewall rule usage analysis application in 2004.

Configuration Confrontation – Network Security’s Biggest Challenge




As numerous breach incidents have emphasized, the inability of organizations to properly configure existing defenses remains arguably their most significant network security challenge.

With the Target breach standing as perhaps the best example – as attackers subsequently infiltrated the retailer’s point-of-sale data after gaining access to other areas of the network – the problem has been reinforced in a number of high-profile incidents.

R7.blog.logo

This week, noteworthy vulnerability researcher H.D. Moore, perhaps best known as founder of the Metasploit pen testing platform, brought even greater attention to this issue, releasing new findings regarding a previously unreported firewall configuration issue that could expose many organizations to potential compromise.

The research, which affects organizations using devices made by Palo Alto Networks, a leader in the space, further highlights the fact that it is the challenge practitioners face in properly configuring such defenses – not vulnerabilities in those products – that remains so pervasive and troublesome.

As first detailed by Moore in a blog post and reported in news outlets including the U.K.-based Register, the issue involves misconfigured user identities set up for Palo Alto Networks firewalls that “leak” information onto the Web, exposing underlying services.

With VPN and webmail services among those affected, the issue revolves around possible credential exposure when Palo Alto Networks customers have improperly configured User-ID to enable WMI probing on external/untrusted zones, resulting in the User-ID agent sending these probes to external/untrusted hosts.

To its credit, Palo Alto quickly posted an advisory and associated best practices guidelines to help organizations address the issue. Vulnerability management specialists Rapid7, which purchased Metasploit five years ago and remains Moore’s employer, also posted an advisory.

By no coincidence, Palo Alto and Rapid7 are among FireMon’s closest technology and business partners. This is because we work with these companies every day to help customers identify and remediate precisely the type of issues highlighted by Moore’s ingenious research.

Network and applications vulnerabilities remain a huge problem, as do cutting-edge attacks. However, as illustrated by the Target breach, countless other incidents and the details of Moore’s latest work, erroneous and unseen configuration issues within network security infrastructure remain just as significant of a problem. And even better, one that when identified can be rapidly addressed.

The revealed Palo Alto firewall “vulnerability” isn’t a flaw at all but rather an opportunity for risk created by the complexity of firewall configuration and the lack of visibility that many practitioners retain into their current alignment – an issue intensified within large enterprises.

These are the very network security management challenges that led to the initial invention and continued advancement of FireMon Security Manager. Working alongside partners including Palo Alto and Rapid7, among many others, we help our customers identify and mitigate such issues.

In response to Moore’s research, FireMon immediately created a new custom audit check within Security Manager that allows organizations to analyze their Palo Alto firewalls to identify and check that user identification lookups are not allowed on public facing zones.

To be honest, doing so was almost painfully simple, because this is exactly what FireMon was designed to do!

As FireMon has been publicizing for many years – the level of complexity and change affecting configuration of network firewalls remains perhaps the greatest challenge facing network security practitioners.

If you’re concerned that the newly reported Palo Alto issue, or any of the countless configuration challenges affecting every manner of network firewall, may affect your organization, take a closer look at FireMon.

We help customers gain visibility into and control over this very type of problem. It’s what we do. It’s why we’re here. Learn more about our solutions, today.

About Matt Hines

Matt Hines leads product marketing efforts at FireMon. Prior to joining FireMon, Hines held similar roles at TaaSERA, RedSeal Networks and Core Security Technologies, and worked for over a decade as a journalist covering the IT security space for publishers including IDG, Ziff-Davis, CNET and Dow Jones & Co.

Black Hat 2014: RSA in the Desert?




I’ve been attending the Black Hat Security Conference in Las Vegas for almost a solid decade now, and if there’s one thing that’s for sure, it’s that the conference continues to evolve.

Given, when I first started attending Black Hat those many years ago, it was not as a marketing rep for a security software vendor, but as a reporter attempting to get my head around the emerging threat/exploit landscape.

black.hat.2014

However, even if my time is no longer spent attending sessions, and trying (with varying degrees of success) to understand what is being presented, a walk across this year’s show floor clearly evidences the continued shift towards a more business-centric audience.

This is nothing new, of course, as hardcore Black Hat attendees have been decrying the show’s evolution into more of an “RSA in the desert” for years. However, it’s clear that with each passing summer this change becomes ever more the reality.

When I was working for pen testing specialists Core Security in 2008, it was clear that ethical hackers, primarily researchers, still made up a huge swath of the Black Hat audience; this no longer would appear to be the case.

Certainly it has a lot to do with spending more time in the vendor exhibition space, but with each year I see more corporations and government agencies listed on attendees’ badges, and fewer humorous attempts to dodge identification (though we do have several “ninjas” and at least one “director of rainbows and unicorns” listed among our 2014 badge scans).

As I was discussing this phenomenon with longtime industry guru Alan Shimel (currently of the CISO Group and Security Bloggers Network) we were debating the potential upsides and downsides.

First off, neither of us would debate that there’s still a wealth of extremely valuable research on the Black Hat schedule, and I can’t even make the claim in recent years of attending many of these sessions.

Another key component to consider is that there are the sister DEF CON and parallel B-Sides Las Vegas shows, which cater directly and almost exclusively to ethical hackers and focusing almost solely on research, allowing Black Hat to grow more… corporate.

You also have the phenomenon of people who started out as Black Hat researchers who are now focused more on the business side of things, having built vital companies out of the expertise they used to share as conference presenters (the guys from White Hat Security are a fitting and high-profile example).

As noted above, one of the other significant changes in Black Hat attendance is the ever-increasing number of government attendees. In years past there may have been a lot of Red Team/Blue Team types – and likely still are – but today, there’s an overwhelming number of state and federal security officials in attendance – with their names and titles displayed openly on their badges (another notable shift).

My impression is that many of the people who first came to Black Hat – and now may spend more time at Def Con or B-Sides – may disparage the show’s change in interests, arguing that the event is now too focused on the business side.

However, for companies like FireMon this shift has obviously made the event even more valuable, providing us with another fantastic opportunity to connect with existing customers and new prospects to tell them more about what our solutions can do.

Is the change good? Is it bad? That’s for each individual to decide on their own, but as Alan and I eventually agreed, it’s really just a natural evolution as hacking and ethical research continue to mature and become an even bigger element of enterprise security.

No matter how you slice it, Black Hat continues to serve as an ideal venue for numerous elements of the security community to connect. No matter what changes come it’s always a pleasure to be there.

About Matt Hines

Matt Hines leads product marketing efforts at FireMon. Prior to joining FireMon, Hines held similar roles at TaaSERA, RedSeal Networks and Core Security Technologies, and worked for over a decade as a journalist covering the IT security space for publishers including IDG, Ziff-Davis, CNET and Dow Jones & Co.

FireMon Security Manager 7.0 – Top 5 Additions




With any major product release there’s typically quite a bit to sound off about, but with the launch of FireMon Security Manager 7.0 platform and the introduction of its updated Policy Planner 3.0 module there’s so much to highlight that one could potentially go on for a long time.

So, in the interest of shedding some light on the most exciting and breakthrough additions in these new releases, let’s take a classic “Late Show”-style approach citing the “Top 5 New Capabilities of Security Manager 7.0”:

1. True Continuous Assessment: The Security Manager analysis engine and supporting features are the only solution that truly provide real-time visibility across all network security device infrastructure. With even greater levels of automation including an updated library of proven assessments, proactive “what-if” change modeling, historical trend analysis to chart improving performance and the scalability to analyze enterprise infrastructure in seconds, FireMon has once again upped the ante.

2. Expanded Assessment and Controls: Striking at the lifeblood of how customers benefit from Security Manager’s automated assessment approach, the 7.0 release introduces major advancement including trending, whitelisting and an out-of-the-box library with over 100 pre-built controls and Best Practices assessments. The results? Faster analysis, greater policy and process retention and even greater ease-of-use – all with a high degree of customization – based on FireMon’s years of experience working with customers.

3. Standardized Policy Workflow: Policy Planner 3.0 delivers full support for the BPMN 2.0 workflow standard, allowing even more consistent policy design, evolution and management, and allowing direct integration with existing BPM systems and processes. More fuel to the FireMon flame of providing enterprise ready, time saving and closed-loop methodology; look here to see who else supports BPMN 2.0.

4. Added MSSP capabilities: While other vendors merely pass off their solutions to MSSPs, FireMon continues to add purpose-build capabilities for our many managed service provider customers, including support for organizational domains and LDAP authorization. Instead of handing-off an existing solution and merely saying good luck, FireMon continues to make the investments that drive increased ROI for MSSPs of all kinds.

5. New Device Support: The more network security devices that Security Manager provides direct integration with, the more powerful the results. This time around additions include newly released products from leading providers including Cisco (ASA 9.1), Palo Alto Networks (Panorama) and Qualys (QualysGuard VM) as well as support for device infrastructure popular in APAC (AhnLabs, Hillstone, Huawei, SECUI) and other regions, making the FireMon platform the most truly comprehensive and globally relevant on the market.

So there you have it, and honestly that’s just a quick peek at all of the extraordinary goodness and highly differentiated capabilities delivered in the FireMon Security Manager 7.0 platform. There’s no other product available that spans the full gamut of assessment and reporting needs required by today’s enterprise organizations and large government agencies.

Am I biased? Sure, but I’ve also been around this market long enough to know who is stretching the truth and how FireMon can truly back all its claims.

If you’re unwilling to take my word for it, why not sign up for a demo of FireMon Security Manager 7.0 today and you see how well it works for yourself.

About Matt Hines

Matt Hines leads product marketing efforts at FireMon. Prior to joining FireMon, Hines held similar roles at TaaSERA, RedSeal Networks and Core Security Technologies, and worked for over a decade as a journalist covering the IT security space for publishers including IDG, Ziff-Davis, CNET and Dow Jones & Co.

FireMon Security Manager 7.0 – Top 5 Additions




With any major product release there’s typically quite a bit to sound off about, but with the launch of FireMon Security Manager 7.0 platform and the introduction of its updated Policy Planner 3.0 module there’s so much to highlight that one could potentially go on for a long time.

So, in the interest of shedding some light on the most exciting and breakthrough additions in these new releases, let’s take a classic “Late Show”-style approach citing the “Top 5 New Capabilities of Security Manager 7.0”:

1. True Continuous Assessment: The Security Manager analysis engine and supporting features are the only solution that truly provide real-time visibility across all network security device infrastructure. With even greater levels of automation including an updated library of proven assessments, proactive “what-if” change modeling, historical trend analysis to chart improving performance and the scalability to analyze enterprise infrastructure in seconds, FireMon has once again upped the ante.

2. Expanded Assessment and Controls: Striking at the lifeblood of how customers benefit from Security Manager’s automated assessment approach, the 7.0 release introduces major advancement including trending, whitelisting and an out-of-the-box library with over 100 pre-built controls and Best Practices assessments. The results? Faster analysis, greater policy and process retention and even greater ease-of-use – all with a high degree of customization – based on FireMon’s years of experience working with customers.

3. Standardized Policy Workflow: Policy Planner 3.0 delivers full support for the BPMN 2.0 workflow standard, allowing even more consistent policy design, evolution and management, and allowing direct integration with existing BPM systems and processes. More fuel to the FireMon flame of providing enterprise ready, time saving and closed-loop methodology; look here to see who else supports BPMN 2.0.

4. Added MSSP capabilities: While other vendors merely pass off their solutions to MSSPs, FireMon continues to add purpose-build capabilities for our many managed service provider customers, including support for organizational domains and LDAP authorization. Instead of handing-off an existing solution and merely saying good luck, FireMon continues to make the investments that drive increased ROI for MSSPs of all kinds.

5. New Device Support: The more network security devices that Security Manager provides direct integration with, the more powerful the results. This time around additions include newly released products from leading providers including Cisco (ASA 9.1), Palo Alto Networks (Panorama) and Qualys (QualysGuard VM) as well as support for device infrastructure popular in APAC (AhnLabs, Hillstone, Huawei, SECUI) and other regions, making the FireMon platform the most truly comprehensive and globally relevant on the market.

So there you have it, and honestly that’s just a quick peek at all of the extraordinary goodness and highly differentiated capabilities delivered in the FireMon Security Manager 7.0 platform. There’s no other product available that spans the full gamut of assessment and reporting needs required by today’s enterprise organizations and large government agencies.

Am I biased? Sure, but I’ve also been around this market long enough to know who is stretching the truth and how FireMon can truly back all its claims.

If you’re unwilling to take my word for it, why not sign up for a demo of FireMon Security Manager 7.0 today and you see how well it works for yourself.

About Matt Hines

Matt Hines leads product marketing efforts at FireMon. Prior to joining FireMon, Hines held similar roles at TaaSERA, RedSeal Networks and Core Security Technologies, and worked for over a decade as a journalist covering the IT security space for publishers including IDG, Ziff-Davis, CNET and Dow Jones & Co.

Real-World Breach Shows Prioritizing Vulnerabilities Matters




Over at Krebs on Security, a rare but fascinating look into the monetary and brand reputation effects a real-world breach can have on a corporation were outlined last week in the fascinating post “FDIC: 2011 FIS Breach Worse Than Reported“. The post provides an in-depth review of the impact of the 2011 breach at FIS in which FIS originally stated ““7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities” in their original filing with the SEC. The article provided two very interesting insights. First, there are truly real-word financial and brand consequences in failing to effectively implement network security controls. Kreb’s article provides an in-depth look at the results of the FDIC audits performed at FIS in 2011 and 2012 as a result of the original breach incident. What was interesting to learn is that as FIS is a service provider to banks and not actually a bank, the FDIC is unable to levy fines against it or shut it down directly. However, in May of this year, the FDIC sent the results of its audits to all of FIS’s customers, as the post highlights with a letter attached that began “We are sending you this report for your evaluation and consideration in managing your vendor relationship with FIS.” The FDIC made this decision despite the fact that FIS has spent over $100 million dollars in trying to shore up their network security controls. This will obviously have some negative brand and revenue impact for FIS as the result of the FDIC actions.

The second interesting point within the post was the details around the environment FIS was attempting to secure, and the amount of vulnerabilities they were dealing with. Portions of the FDIC report that were noted in the post showed that FIS was dealing with “approximately 30,000 servers and operating systems, another 30,000 network devices, over 40,000 workstations, 50,000 network circuits, and 28 mainframes running 80 LPARs”. The post also highlights that “The Executive Summary Scan reports from November 2012 show 18,747 network vulnerabilities and over 291 application vulnerabilities as past due”. While 18,747 vulnerabilities identified in a scan might seem like a lot, it is not uncommon in a network of this size and scope. Many FireMon customers have seen scan results with an even greater amount of identified vulnerabilities. The challenge when faced with this amount of vulnerabilities is knowing which ones truly matter. Out of 18,000+ vulnerabilities, how would you know which ones to remediate first? Attempting to manually sort through the vulnerabilities or simply patching the highest value assets doesn’t actually solve the problem. An automated, intelligent and continuous real-time assessment of the vulnerabilities that shows what assets are truly reachable over the network by an attacker, and which remediation efforts will reduce the greatest amount risk (and access)  is the only way to proactively solve this problem.