Firewall rules are notoriously complex and voluminous in nature. Even small organizations have multiple firewalls and significant complexity. But large organizations are overwhelmed.
Besides classic firewalls, next-gen firewalls, VPN, reverse-NAT and remote access servers, each switch and router with rules acts as a firewall. Firewall proliferation is obviously driven first by number of physical sites – a direct correlate to growth for many organizations. But your number of firewalls also increases proportional to how fine-grained you attempt to make your network security. Today, perimeter firewalls between the Internet and internal network are just the beginning. Here’s a few of the special segments within many networks that are or should be protected by internal firewalls:
Internal segmentation will keep growing because of the constant threat of persistent attackers. With the intensity and sophistication of today’s attacks, we assume there’s always someone loose on your network. Internal network controls are critical for denying them complete freedom of movement to run amok.
But along with more firewalls, you also end up with more rules. In preparing for this real-training-for-free session, I was talking to a firewall specialist this week; his customers routinely deal with 40,000 rules on a single firewall. 100 rules is enough to cause confusion, let alone thousands. Part of the problem, he stated, is that rules go in but don’t go out.
Nearly all firewalls are designed with a “positive security model,” meaning that unless a rule expressly permits access, that access is denied. This design should limit access only to what is necessary, but in practice, firewall management is very complicated, and significantly more access is permitted than is necessary.
Complexity by itself is not a security issue. However, excessive complexity has implications that are a problem. Not surprisingly, there is a strong correlation between the complexity of the firewall and the number of mistakes in the policy. As complexity increases, mistakes increase. Unfortunately, each mistake adds unnecessary complexity, resulting in even further mistakes. Over the years, these problems compound upon one another, resulting in an unmanageable policy, deteriorated firewall performance, increased risk and increased management costs.
Ironically the more secure you try to be, the more complexity you create, which in turn introduces new risks. In this real-training-for-free event, we will discuss the Top 5 risks the team at FireMon, a leading firewall management software vendor, finds when assessing an organization’s firewalls.
Here’s the list of risks we’ll discuss:
But more importantly we’ll talk about how to:
One organization was able to eliminate 122,000 rules across their global network. Clean up like that results in:
Ideally you need to be able to regularly perform 3 types of analysis
Rule usage analysis is critical for finding out if unnecessary open access exists on the network. Unnecessary access equals unnecessary risk.
Traffic flow analysis is critical for determining the impact of:
Access path analysis is indispensable for:
FireMon, will briefly show you how their technology helps you manage your global, heterogeneous fleet of firewalls from a single pane of glass to track changes, clean up rules, analyze traffic flow over time and visualize access paths.