Misconfigurations: the Firewall's Greatest Threat
Gartner recently published a new research note, One Brand of Firewall Is a Best Practice for Most Enterprises, that advocates exactly what the title states: that consolidating to one brand of Firewall is a best practice for most enterprises. This is a position that certainly all of the major firewall vendors will welcome, and one that will likely stir-up a significant amount of debate. Deploying two different firewall vendors has long been an accepted best practice within network security, and the majority of customers we have interfaced with here at FireMon certainly follow that model. While I will leave the debate on this to other blogs, one statistic that was noted in the research note caught my eye.
Gartner noted in the research note that Through 2018, more than 95% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws. We at FireMon could not agree more. Previously on this blog, we have highlighted that configuration mistakes not only represent the risk of impacting network performance, but more importantly represent a potential risk to the network. Firewall admins could potentially (and have done so in many environments) stop a revenue generating service from working properly by incorrectly configuring a firewall policy. The bigger threat though is the potential of allowing connectivity from outside of the network to a portion of the internal network that should not have access. As Gartner noted in the research note, Diligence in patching firewalls, monitoring configuration and assessing the rule base is required to maintain security. Misconfiguration of your firewall policy is a serious security threat, and regardless of your opinion on the one firewall vendor versus two firewall vendor debate, a tool that automates the monitoring, configuration and assessment of your firewall rulebase is required to maintain effective network security. FireMon Security Manager can provide that automation for you, and help to eliminate your firewall's greatest threat.