In the era of PCI Data Security Standard audits and everything-over-HTTP applications, spreadsheet-based firewall policy management seems Paleolithic. Yet many organizations have spreadsheets with thousands of rows of firewall rules that date back 15 years.
Network and security admins find themselves asking, "Who wrote this rule, and why?" The answer generally is, "Some guy named Larry -- for the former CEO, who needed access to financial data via a NetZero dial-up."
Then there's the inevitable follow-up question: "Do you think we can remove it?" Sadly, the answer often is, "Maybe."
Firewall policy management is a mess within many IT departments. A new survey by firewall management software vendor Athena Security revealed that 95% of engineers have trouble with firewall audits because the manual processes involved are time-consuming. Also, the audit is usually a snapshot in time that becomes irrelevant the second some admin who borrowed a password from an engineer adds a new rule.
Ninety percent of the 481 engineers that Athena surveyed also admitted that they have suboptimal firewalls because of unnecessary and redundant firewall rules. They want to get rid of them, but where do they start?
"I do stay up at night worrying about whether we have firewall rules in [our firewalls] that shouldn't be in there or that have been put in there by someone unauthorized," said Jeff Kramer, a risk management professional at global consumer products manufacturer. "Has someone gone into my firewall and added a rule that is creating a compliance issue or a security gap? Or has someone gone in to blatantly add a rule in order to extract information from the organization? Right now, honestly, I don’t think we know that."
Kramer is in the middle of installing Athena's FirePAC software to improve firewall rules management at his 15,000-person company. The software will monitor about 50 Cisco and Check Point Software Technologies firewalls. The purchase of FirePAC was prompted mostly by the need to improve how his company handles PCI audits.
"We've gone through a couple of cycles of PCI audits where we noticed up front that there were a lot of challenges around doing firewall rule-set reviews," Kramer said. "The last audit cycle was really a major issue, and it created some clear compliance gaps. We managed to squeak our way through the audit, but it was clear that the amount of effort to do the firewall rules review was overwhelming."
Firewall policy management: Third-party software an emerging niche
Firewall-policy-management vendors like Athena, Tufin Technologies and Algosec are serving a small but growing market of companies who need help with firewall rules management, said Greg Young, research vice president at Gartner. Not every company needs this third-party software. Those that do need it typically recognize the need after a disaster.
"It's one of those things like, 'I'm not going to the dentist until my teeth hurt.' Once there is some kind of pain -- the rules base is too large or there's been a very bloody audit or the staff is stretched too thin -- those are the cases where these tools are needed," Young said.
According to Young, there are four scenarios that will push an enterprise to invest in firewall-policy-management software:
- Complex environments: Companies that have a large number of firewalls will often struggle to understand meaning across them or will have so many of them that they are impossible to manage.
- Highly dynamic firewall environments: Here, said Young, "even if you don’t have that many of them, the constant change is an opportunity for a misconfiguration or for vulnerabilities being introduced."
- Multivendor firewall environments: Firewall vendors offer management software of their own, but that software is not compatible with other vendors' products. Many large enterprises will have more than one firewall vendor. Kramer's company, for instance, uses Check Point at the perimeter and Cisco to segment the internal network.
- Stringent audit requirements: If a company encounters a stronger audit requirement than in past years, particularly something like a PCI or HIPAA audit, the manpower needed to document firewall rules for auditors can be overwhelming and amplify any of the other three drivers above.
Tools may not be useful when there are very few firewalls, when they are static or when they are all from the same vendor, Young said, "unless there is some strange policy that has loaded up these firewalls with a lot of rules."
Though small today, the number of companies that do need firewall-policy-management tools is growing.
More on firewall policy management
Create a firewall policy fault model with automatic correction
Who should manage a firewall?
A three-step guide to testing firewalls
Are application signatures a new form of firewall rules bloat?
"The nature of our applications, how they're constructed now with more connections going through, it's so much harder for firewalls to be configured to handle them. It's not a single port connection anymore," Young said. "When you throw cloud into the mix, the connection states we see in firewalls now are a real web. It's very complex, so the rules bases are getting larger and more complicated. As more businesses go online and applications go online, it's slowly increasing the adoption of these tools."
Adopting firewall-policy-management tools: No overnight revolution
Firewall-policy-management software institutes a workflow and an automated configuration-management system that maps firewall policies to firewall rules, requires engineers to justify rules changes, and maintains a live record of all such configurations. This live record is perfect for delivering proof of compliance to auditors.
These tools can also model how firewall rules will affect network security. This capability can identify rules that are insecure and also identify redundant or out-of-date rules that require deletion.
Kramer is about halfway through implementation of FirePAC at his company but had to put the project on hold because a new PCI audit cycle required his undivided attention.
"Standing up some of our bigger firewalls, it takes time to get that thing digested and cleaned up," he said. "It's the nature of these large corporations to just have this sprawl."
Once FirePAC is up and running, Kramer hopes that his company's security engineers will buy into the product so that overall firewall rules management will improve.
"I'm the auditor, and I'm the one getting the most benefit from it [initially]," he said. "The security engineers are not quite onboard yet. There are some organizational challenges in our company as to middle management's ability to get groups to work together. So the people who run day-to-day security and configuration of the routers and firewalls are isolated from the risk management organization that drives security architecture for the entire organization."
Kramer simply needs visibility into what the security engineers are doing with the firewalls. "But I'm confident that when we get it going and get stuff cleaned up, people will start buying into it more."
Let us know what you think about the story; email: Shamus McGillicuddy, News Director