This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Firewalls that protect enterprise networks play a crucial role on the front line of defense. The people who administer these firewalls have a lot of responsibility in seeing that only the right kind of traffic gets through when it should and all the bad stuff gets blocked. The stakes are high and there's little room for error. But year after year, the Verizon Data Breach Investigations Report shows that device misconfigurations are a leading source of vulnerabilities that open the door to data breaches.
With that in mind, I talked with Reuven Harrison, CTO of the firewall management company Tufin. I asked him for best practices to address some of the most common firewall challenges that lead to misconfigurations or other problems that cause firewalls to fail in their crucial missions. He makes the following recommendations:
• Keep the enterprise security policy manager or compliance manager in the loop on firewall changes.
• Clean up unused rules.
• Eliminate conflicting rules.
• Follow a consistent workflow for requesting and implementing firewall changes.
• Get application developers or the dev ops team on the same page with the firewall administrator.
Let's take a look at each recommendation.
Keep the enterprise security policy manager or compliance manager in the loop on firewall changes.
In most midsize or large enterprises there is a security manager, risk manager or compliance manager role. This person is usually not a hands-on operational worker. Rather, he or she is in charge of setting the organization's overall policies and is responsible, more or less, for making sure that these policies are followed throughout the organization. Very often this security manager doesn't have insight into what the firewall administrators are actually doing to deploy rules—rules that might be in conflict with corporate policy.
For example, a firewall administrator can open a port on a firewall to allow various traffic to enter the network. It's possible this action could be risky and could contradict one of the organization's overall security policies. The security manager needs to get notifications when firewall policies are modified, and by whom, in order to review them to make sure they are in line with policy. This could be done through email alerts or access to a console to see the changes to the firewall configurations and who made the changes. If a change just doesn't seem right or is violating a security policy, the security manager and firewall administrator can discuss the business purpose for the change.
Clean up unused rules.
It's not uncommon for a firewall to have hundreds or even thousands of rules, many of which are outdated and no longer serve the purpose for a business requirement. Unused rules sometimes harbor the potential for malicious attacks. For example, suppose a port is opened to allow HTTP or even HTTPS traffic to flow between the enterprise and a cloud application. Then the business unit that used that cloud application abandons it but fails to notify the firewall administrator to close the port. A malicious attacker could discover that opening and use it to transmit data out of the organization.
There are firewall management tools that can easily monitor the network traffic on an ongoing basis and determine if there are open connections that haven't been used for a specified period of time. The firewall administrator can be alerted to these apparently unused connections to research their purpose and close the ones that no longer serve a business purpose.
Tufin's Harrison cites an energy company that recently underwent a rules cleanup and discovered that more than 50% of the company's firewall rules no longer served a business need. Eliminating those unused rules not only improved the organization's security posture but improved firewall performance as well.
Eliminate conflicting rules.
Many firewalls already have such a complex rule base that oftentimes an administrator doesn't know if he or she is implementing a new rule that conflicts with an existing one. This situation could cause the new rule to be completely dysfunctional because the device – acting on the principle of "first match" – executes the first rule it encounters that meets the criteria of the traffic. Cleaning up conflicting rules is not something to tackle manually, however there are tools that can facilitate this task.
Follow a consistent workflow for requesting and implementing firewall changes.
Firewall rules often are not properly documented. Without good documentation, it can be hard to tell who requested a rule or who owns it from a business perspective. This makes it more difficult to comply with regulations such as PCI DSS because it is more difficult to prove that the rule is needed. If there is traffic over that connection, it can be a challenge to know who owns it and for what purpose.
The remediation requires more than a simple tool. It requires the enterprise to define a business process whereby every time a firewall rule is needed there is a workflow that has to be followed. This workflow would include a business owner submitting the access request, someone reviewing and approving the request, and eventually a firewall administrator actually pushing out the change—all while the underlying system documents the change and correlates it to the business need. For future cleanup optimization, there is that business context and the firewall administrator knows who to call to see if the request made a few years ago is still needed today.
Get application developers or the dev ops team on the same page with the firewall administrator.
It's often the people who are developing new applications or provisioning new services who request changes to existing firewalls. Like any technical role, these folks speak their own brand of technical jargon that isn't well understood by firewall administrators, and vice versa. In other words, it may take a few iterations to get a new firewall rule just right because the two sides aren't understanding each other with precision.
There are tools on the market that can facilitate this communication—a technical translator, if you will. The application developers can specify business rules for their application using a language that is higher level and more abstracted and the system can use various analytics about the underlying integration to translate that into technical implementation details which can be either manually implemented by the firewall administrator or even automatically implemented by a system. This technical translator can help to eliminate or reduce misconfigurations and save time in getting the application up and running.
Linda Musthaler is a Principal Analyst with Essential Solutions Corp. which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.