Next-generation firewalls enhance network security with integrated intrusion prevention and visibility into applications...
and users, ay, but they also introduce new management challenges.
Firewall management has always presented a challenge since traditional stateful firewalls get overloaded with thousands of outdated rules. But with next-generation firewall management, network security professionals face multiple new layers of rules and policies to maintain.
"Firewall rules bloat has always been around, but ... with intrusion prevention and application control, the issue is just compounded," said Greg Young, research vice president with Stamford, Conn.-based Gartner Inc. "There is an opportunity to reduce complexity with next-generation firewalls, but if not implemented correctly, you can have a lot more complexity."
Osterman Research recently surveyed 209 enterprises about next-generation firewall management on behalf of Skybox Security, a security and risk management company. The survey asked network security professionals to list their three biggest challenges with next-generation firewall management, which were: verifying that access and network segmentation policies are enforced correctly (39%); maintaining intrusion prevention system (IPS) signatures (37%); and optimizing firewall rule-sets (36%).
The complexity of rules and policies in stateful firewalls forces network security managers to integrate more business logic into their firewall management approach.
"Next-generation firewall rules are dealing with which users in your user groups can access Web apps or Facebook at which times of day. Not only are rules getting more complicated, but the logic of what the organization wants in a security policy is getting more sophisticated. That's a planning challenge, a coordination challenge and also a technical challenge," said Gidi Cohen, CEO and founder of Skybox.
Network security pros need to abandon "old-school" approaches to firewall management with next-generation products, Young said. For instance, change control for application control rules and policies cannot function like traditional port-based rules, he said.
On a traditional firewall, any change requires a change request. If the development team wanted to launch a new application, it would send a change request for a port to be opened on the firewalls. That granular approach won't work with the application visibility on a next-generation firewall. "Do it in a different way. You can approve classes of applications," Young said. "You can say, 'We're not going to allow any peer-to-peer, except for certain situations. So if a new application is recognized as peer-to-peer and the firewall administrators want to approve that rule, it should be handled in a pre-approved manner."
Next-generation firewall management: A mature, coordinated approach
To a large extent, firewall management is an issue of change control, said Scott Crawford, research director for Enterprise Management Associates. Enterprises with a mature firewall change management approach tend to avoid security breaches and performance disruptions. As firewall environments get more complex with next-generation firewalls, automation becomes more important.
The Skybox survey found that 58% of enterprises have more than 100 rules on their next-generation firewalls, and 35% of companies make more than 100 changes per month.
Users must leverage automation in these complex environments, because they are often too complex to be reliably managed through manual processes alone, Crawford said.
"Verify any changes you plan to make before you deploy them, to the extent you can using modeling, and track those changes to make sure they are deployed as expected. Also, you need to have a process for dealing with when you have to back out of changes so you don't produce additional problems."
Vendors like Skybox, Tufin Technologies, AlgoSec and Athena Security specialize in these issues. They offer firewall change control and most can model how those changes will affect the network. These vendors are also updating their products for next-generation firewall management.
Network security teams should also make sure they coordinate next-generation firewall management with the network operations team if the two groups are separate entities within an IT organization, Crawford said.
"Even before next-generation firewalls, we saw organizations running into issues around expected levels of performance and availability being disrupted because security policy was imposed without realizing what the impact would be," Crawford said.
"As you add application-aware firewalls, the challenge becomes even greater. Even on the client side in a distributed network, if you're deploying WAN optimization, you want to tune that [to be] fairly application-specific. You need to coordinate what the network needs in terms of performance and availability with security requirements to avoid conflicts and increased exposure."
Intrusion prevention on the firewall: Another wrinkle
The Skybox survey demonstrated that many enterprises struggle with managing intrusion prevention signatures on their next-generation firewalls. Eighty-six percent of companies plan to use the IPS module on their firewalls; 65% of them in active inline prevention mode. Managing the IPS signatures on those modules isn't easy. Only 54% of companies manage them automatically with updates from their vendors. Thirty-two percent are trying to manage them manually.
"The default signature set is just an entry point," Gartner's Young said. "Then comes the value of tuning. For instance, if you have no Oracle databases, don't enable the Oracle signatures. Or, if you have a large emphasis on Oracle, then you really want to optimize and tune those Oracle signatures."
Some enterprises want to know how effective those signatures are at blocking threats, according to Michelle Johnson Cobb, vice president of worldwide marketing at Skybox. "Are they really going to block what I think they are going to block?" she asked. "There are ways to be able to tell if what you put in place is actually working for you."
If users implement thousands of default signatures for potential threats, it will slow the traffic down.
“So if one of your goals is to ensure you have as high a performance as possible while also blocking threats, there's this balancing act," Cobb said. "Also, things change. On a daily basis there could be new vulnerabilities or new threats. You may have to decide whether you need to activate new signatures or not.
SkyBox, which just added support for Palo Alto Networks' IPS functionality, can analyze signatures and map them to vulnerabilities.
"You can have a dashboard that shows which signatures are active and blocking vulnerabilities, and which ones you could turn on that would allow you to be more protected."