Top 5 Risks of "Dirty" Firewalls

Jun 06, 2017 11:00 am - 12:00 pm CST

Firewall rules are notoriously complex and voluminous in nature. Even small organizations have multiple firewalls and significant complexity. But large organizations are overwhelmed. 

Besides classic firewalls, next-gen firewalls, VPN, reverse-NAT and remote access servers, each switch and router with rules acts as a firewall. Firewall proliferation is obviously driven first by number of physical sites – a direct correlate to growth for many organizations. But your number of firewalls also increases proportional to how fine-grained you attempt to make your network security. Today, perimeter firewalls between the Internet and internal network are just the beginning. Here’s a few of the special segments within many networks that are or should be protected by internal firewalls:

  • PCI requires controls for all devices within the “Cardholder Data Environments”
  • Red forest domain controllers and secure administrative workstations
  • Management network of hyper-visors and related systems (e.g. vCenter)
  • Guest/visitor networks
  • SCADA networks
  • Quarantine segments
  • Control plane networks for cloud and service providers
  • DMZs

Internal segmentation will keep growing because of the constant threat of persistent attackers. With the intensity and sophistication of today’s attacks, we assume there’s always someone loose on your network. Internal network controls are critical for denying them complete freedom of movement to run amok.

But along with more firewalls, you also end up with more rules. In preparing for this real-training-for-free session, I was talking to a firewall specialist this week; his customers routinely deal with 40,000 rules on a single firewall. 100 rules is enough to cause confusion, let alone thousands. Part of the problem, he stated, is that rules go in but don’t go out.

Nearly all firewalls are designed with a “positive security model,” meaning that unless a rule expressly permits access, that access is denied. This design should limit access only to what is necessary, but in practice, firewall management is very complicated, and significantly more access is permitted than is necessary.

Complexity by itself is not a security issue. However, excessive complexity has implications that are a problem. Not surprisingly, there is a strong correlation between the complexity of the firewall and the number of mistakes in the policy. As complexity increases, mistakes increase. Unfortunately, each mistake adds unnecessary complexity, resulting in even further mistakes. Over the years, these problems compound upon one another, resulting in an unmanageable policy, deteriorated firewall performance, increased risk and increased management costs.

Ironically the more secure you try to be, the more complexity you create, which in turn introduces new risks. In this real-training-for-free event, we will discuss the Top 5 risks the team at FireMon, a leading firewall management software vendor, finds when assessing an organization’s firewalls.

Here’s the list of risks we’ll discuss:

  • Unused rules – those that have not been trafficked for a set amount of time are no longer necessary
  • Outdated rules – those rules that were opened for a specific reason that is no longer necessary
  • Non-compliant rules – those that do not meet internal or regulatory best practices
  • Permissive source/destination addresses – rules that are overly permissive with their access
  • Rules missing protocol specs – another type of overly permissive rule that creates unnecessary access

But more importantly we’ll talk about how to:

  • Clean up firewalls effectively and safely
  • Prevent rules from getting out of hand and outdated in the future

One organization was able to eliminate 122,000 rules across their global network. Clean up like that results in:

  • Reduced risk by eliminating unnecessary complexity
  • Better network performance. The example above reduced firewall CPU usage by 30%.
  • A network that is more responsive and agile to changing business needs.

Ideally you need to be able to regularly perform 3 types of analysis

  • Rule usage analysis tracks frequency of use for firewall rules
  • Traffic flow analysis – shows you the paths different applications are taking or have taken across your network
  • Access path analysis – shows every available access path across the network that traffic could take

Rule usage analysis is critical for finding out if unnecessary open access exists on the network. Unnecessary access equals unnecessary risk.

Traffic flow analysis is critical for determining the impact of:

  • Removing allow rules
  • Adding deny rules
  • Monitoring and forensics

Access path analysis is indispensable for:

  • Validating network security controls
  • Determining if new rules are really necessary
  • Identifying unintended access paths
  • Finding permissive rules

FireMon, will briefly show you how their technology helps you manage your global, heterogeneous fleet of firewalls from a single pane of glass to track changes, clean up rules, analyze traffic flow over time and visualize access paths.



Open Ended Up to 1024 Px Wide - UWS Logo.JPG

Register to View this Recording