Combating Firewall Complexity - Four Things You Need
Firewalls continue to play an important role in network security; however, firewall infrastructure has grown more and more complex, adding significant costs and increasing risk. According to FireMon’s 2015 State of the Firewall Report, 95% of surveyed security professionals indicated that firewalls remain as critical if not more critical to security than ever. Over 50% of those respondents cited firewall complexity as their most problematic security management concern.
A recent report from the Aberdeen Group Firewall Sprawl: How Complexity Is Adding Cost & Increasing Risk reinforces these findings. Through their research, they found that nearly half of organization’s today have multi-site, multi-vendor environments.
Going a step further, they developed a complexity index to quantify the issue – (N^2 – N) / 2 where N equals the number of sites plus the number of vendors. For each additional site or vendor, complexity exponentially increases. And with it, so do operational costs, inconsistencies and errors, number of threats and vulnerabilities and finally, likelihood of risk.
With that being said, it appears that firewalls are here to stay, and complexity will only continue to grow as new network technologies and threats develop. The key to combating this is to understand the primary contributing factors and how one might address them.
With eight years under my belt at FireMon, I’ve seen a lot of firewall installations that fall prey to some of these challenges:
- Lacking Capabilities within existing technologies that enable proper management. For example, trying to perform behavioral analysis of a large firewall policy without the aid of automation.
- Time or moreover, efficient processes for managing the constant change in the security environment.
- Inadequate Resources – I have yet to hear anyone tell me they have too many resources.
- Cost – This tends to go hand-in-hand with skilled resources.
- Heterogeneous Environments as opposed to homogeneous environments. I’ve seen very few single vendor deployments but rather a mixture of many different brands. Aberdeen Group’s research quantifies my anecdotal experience.
So what can you as a security professional do about it? Look for solutions or processes that give you the following:
- Visibility – It’s an unfortunate reality, but most of today’s organizations with complex networks do not have adequate visibility necessary to properly manage their security infrastructure. Nor do they have confidence that the technologies they have in place are doing what they’re supposed to. Couple that with reduced resources and an ever growing threat landscape and the result is a recipe for disaster. Having detailed visibility into firewall rules and policy effectiveness allows organizations to clean up outdated or redundant rules and close security gap, lowering overall firewall complexity and level of risk.
- Intelligence – It takes a clear understanding of an organizations compensating controls coupled with a knowledge of vulnerabilities in the environment to properly protect well-known threat entry points. This is all a component of managing risk. With real-time monitoring and vulnerability mapping, your security team has the situational awareness it needs to identify and remediate problematic issues before they evolve into real-world risk.
- Integration – Exchange of information between disparate systems cannot be underestimated. The ability to share security information in real time without restricting it to a single application, system or device can empower stakeholders to make decisions specific to their responsibilities. Security posture is greatly improved by extending real-time, enterprise-wide security metrics to those who need it most. This lends itself to compliance initiatives, business enablement, risk avoidance, etc.
- Automation – Automation can be interpreted differently by different people – in this case we’re looking at automation of change workflow. It’s important to assess the impact of any new access being provided. Access should be restricted to just what is necessary to meet the needs of the business. New access should also be vetted against the corporate security policy to ensure it does not break compliance or introduce unacceptable risk. Being able to sandbox proposed changes to assess impact and then send them for review and implementation through an existing ticketing system can speed up the process and reduce the likelihood of incorrect or risky changes. Automation of this task the only way to accomplish this with high accuracy and repeatable success.