Two-thirds of firewall managers lack confidence in their security posture

Current Job Listings

In its annual firewall management survey, Tufin Technologies uncovered some disheartening details. For example, 1 in 4 firewall managers have never conducted an audit, and 66% of the managers think their processes put them at risk of a security breach. The alarm is sounding for a giant wake-up call.

Warning: If you are a chief information security officer and you want to sleep well tonight, stop reading now. The statistics within this story might give you nightmares.

Tufin Technologies just released the results of its annual firewall management survey and they aren't pretty. Tufin surveyed 100 network security professionals directly involved in firewall management and auditing, and three-fourths of those surveyed believe their change management processes might put them at risk of a security breach.

REVIEW: Firewall operations management 

This is truly troubling, given that firewalls are the first line of defense for most networks. This begs the question, what is it about the processes these managers follow that inspires so little confidence in their firewall security posture?

For one thing, fewer than 40% of these firewall managers use an automated tool to manage configuration changes. Doing this work manually can be time consuming and prone to mistakes. One third of the survey respondents say they handle 50 or more firewall changes per week, and half of all respondents say it takes an hour or more -- sometimes up to a full day -- to design each firewall change.

Eighty percent of the managers say they must use more than one management console to perform their tasks. One can easily envision how a security manager who oversees a couple of firewalls spends all of his time making changes, and this time crunch could lead to mistakes or oversights.

Time, or rather the lack of it, is a real issue. When asked what the weak link of their network security is, almost 60% of the respondents cite a lack of time. Multiple responses were allowed for this question, so 55% of the security managers say "poor processes" are a weakness and nearly half of all participants cite insecure or non-compliant configuration changes.

There's that concern about processes again. Well, surely conducting a firewall audit will help identify where processes need to be improved. According to Michael Hamelin, chief security architect at Tufin Technologies, an audit "increases your chances of finding weaknesses in your security posture and finding places where your policies need to be adapted." Unfortunately, almost 20% of the firewall managers said they don't do audits, and an additional 11% don't know whether or not audits are conducted at their organizations. Almost one in four managers said they've never conducted a firewall audit.

If the firewall rules are never or rarely audited, how will the security managers know if there are misconfigurations or conflicting rules, especially since 63% of the respondents say they don't use an automated tool or process to discover them? How will they know when a configuration change causes network downtime or poses a security breach? One in four managers learns of the problems when there is an increased number of phone calls or emails reporting an issue. One in three has to manually troubleshoot and rule out other possible causes of an issue.

Eighty five percent of the survey respondents say they currently or will soon manage next generation firewalls (NGFWs), which offer a much finer level of granularity in specifying rules. Security-wise, the added granularity is a great thing, as administrators can define explicit rules about who has access to what web-based applications. Management-wise, the added level of detail means there are more firewall rules to design and maintain. For people who are already overworked and stretched thin, more rules to support might be a tipping point where a firewall management tool becomes a necessity.

The Tufin survey results are disheartening, especially considering the potential consequences of inadequate processes for firewall management. The 2009 Verizon Data Breach Incidents Report cites "misconfigurations" and "omissions" (i.e., failure to apply a patch or adhere to a policy) as leading factors in serious data breaches. Let this be a wake-up call to the organizations with low confidence in their firewall security posture.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Learn more about this topic

Is a next-generation firewall in your future?

Top 5 best practices for firewall administrators

Firewall audit do's and don'ts

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT