Firewall Maintenance Needs Automation to Prevent Misconfiguration
Now, more than ever, it is important to automate firewall processes to prevent misconfigurations and data breaches. Gartner has warned that “50% of enterprises will unknowingly and mistakenly have exposed some IaaS storage services, network segments, applications or APIs directly to the public internet, up from 25% at YE18.”
This is a human problem, not a firewall problem. Gartner also posits that “99% of firewall breaches will be caused by misconfigurations, not firewall flaws.”
For a better understanding of the situation, FireMon’s sixth annual ‘State of the Firewall’ report (PDF) sought insights from 573 network/security engineers, IT Ops managers and C-level executives. These come from a range of companies, varying in size from less than 1,000 employees (47.8%) to more than 15,000 employees (18.9%).
Sixty-five percent of the respondents do not currently use automation to manage their environment, while 36% say that inaccuracies, misconfigurations or network issues account for up to 24% of the changes that require rework.
Forty-five percent of the respondents process between 10 and 99 change requests every week; and 38% only find out about a misconfigured firewall through urgent phone/text/email messages.
It is the sheer size and complexity of the modern firewall estate that causes the problems. Almost one-third of respondents have more than 100 firewalls on their network (up from 26% last year); and more than 12% have upwards of 500 firewalls. The top five challenges are the complexity, optimizing the rules, managing multiple vendors/types of firewall, gaps in firewall enforcement, and finally, a lack of automation.
FireMon’s view is that providing that automation will go a long way to solving all the other difficulties. It’s not as if the firewall is any less important to the modern infrastructure. Ninety-five percent of the respondents said the firewall is at least if not more critical than ever, while 65% (up from 56% last year) spend between 10% and 49% of their security budget on firewall technology.
FireMon’s value proposition is to help customers control the complexity of their infrastructure, by extending visibility and detecting change. “In its simplest essence,” FireMon VP, technology alliances, Tim Woods told SecurityWeek, “we try to make native management tools better by augmenting, enhancing and amplifying management efforts to maximize return on investment.”
FireMon can detect poor firewall configurations by scanning the surface from the outside, and pinging external servers from the inside. This type of automated detection is particularly important in cloud environments, where things move and change, and spin up and spin down on a daily basis.
“What happens over time if you don’t apply good management principles to firewalls,” explained Woods, “they become bloated with unnecessary complexity. New rules containing source, destination and service are applied, but over time they expire, they become stagnant, they stop being used, the resources are moved, and the rule effectively becomes a hole in the firewall. They need to be identified and plugged, but without good management hygiene they just get left. The quantity of unnecessary rules just grows — and it’s an extreme problem.”
One of the biggest issues is overly permissive rules that allow far more access than the business actually requires, continued Woods. Typically, this can be caused by simple engineer workload. “Under the stress of a timeline and without sufficient information,” he told SecurityWeek, “in order to enable access to a new service the business is rolling out, the firewall engineers will put in a temporary rule that simply broadens the existing access and enables the service. But they never get time to return and tighten the rule.”
When FireMon analyzes the security policy on a new client’s firewall, it finds between 30% and 50% of the existing rules are redundant or serve no purpose. “When I started in the business fifteen years ago,” said Woods, “if I found a firewall with 2,000 rules on it, that was a really big firewall. Nowadays, it’s not uncommon for us to find firewalls that have 20,000 to 30,000 or even 100,000 rules.” It simply isn’t realistic for a human to analyze policy on a firewall with 100,000 rules.
“Even when you’re adding a new rule,” he said, “and you’re trying to determine where to place the rule — because some rules can be situationally dependent — this can be enormously difficult without the help of automation.”
Automation, says FireMon, can eliminate misconfigurations, increase security agility while maximizing efficiency and reducing operational costs, and prevent compliance violations. “The new State of the Firewall report,” said Woods, “shows that C-level executives and their security teams need more control and visibility over network security processes to fuel digital transformations and maintain regulation compliance. Adaptive automation tools can be the solution to these problems to provide new levels of control and visibility.”
FireMon, a privately held network security and policy management firm, was founded by Gary Fish in 2004. It is dual headquartered with offices in Kansas City and Dallas, Texas. Its most recent acquisition was Lumeta in May 2018, which helps security teams to find and secure unknown, rogue and shadow clouds, network infrastructure, and endpoints.