A number of classic scenes in film and literature involved a group approaching a walled city or castle only to be stopped by a gatekeeper and asked, “Halt, who goes there?” Depending on the answer, be it Arthur, son of Uther Pendragon or Dorothy and the Tin Man, the gatekeeper makes the call on whether or not the group can pass or is turned away.
Firewalls are the digital correlate of this archetypal gatekeeper: they are the gatekeepers for our corporate network and data center perimeters. Firewalls make the call – packet by packet – on which traffic, which network services are acceptable and can pass by and which are acceptable and can enter the gates. But unlike the fictional or historical gatekeepers, the amount of rules employed by a firewall is mind-boggling. For example, the fellow guarding the Emerald City trying to keep out Dorothy only had to remember: Default Deny ANY for people with the name Dorothy.
In the real world, perimeter firewalls have extremely complex policies comprised of hundreds of different rules – or potentially even more. It’s staggeringly complex – but at the same time, extremely precise. The accuracy of the policy set is what makes the firewall effective or not. Having the wrong policy can be tantamount to having no firewall in place at all if risky services are allowed to pass or the wrong ports are left open.
As defined in NIST SP 800-41 Guidelines on Firewalls and Firewall Policies, the firewall policy “dictates how firewalls should handle network traffic for specific IP addresses and address ranges, protocols, applications, and content types… including which types of traffic can traverse a firewall under what circumstances.” Companies that have taken the time to define their policy and rules usually put firewalls into production with a fairly robust policy set.
The problem occurs over time as change requests are made and administrators are asked to incorporate more and more rules over time. Balancing a complex rule set within very tight constraints of precision is possible (though difficult) during initial deployment, adding to that rule set down the road means that same effort and validation is required again and again as the firewall is changed, changed again, and further updated with ever more complex scenarios and additive “one off” situations to accommodate business or technical requirements.
Another concern is the sliding rule base from firewall to firewall. Large organizations have multiple firewalls and routers in redundant and High Availability configurations. Ideally the perimeter security devices are kept in synch – which changes to one device being deployed in the same way on all partner devices in the architecture. In practice, that’s not always the case. Rule sets shift on devices over time as a change is made to one but not another. The result are gatekeepers trying to determine the answer to “who shall” and “who shall not” pass – using different, and sometimes even conflicting, rule bases.
Automation and centralization
How can companies validate that their perimeter devices are making the gatekeeper calls from the same book? They need to have some way to normalize policy implementation and validate implementation of those rule sets across all firewalls – as well as other perimeter access control devices like routers. Rule set validation can be done manually, but any security professional that has ever completed a manual firewall review – and plenty have I know have done this more than they care to remember – know it’s not only time consuming but also prone to human error and oversights. Not to mention capable of turning the rule set reviewers temporarily boss-eyed in the process.
One way to get out ahead of the problem is to leverage firewall management solutions, an increasingly popular category of security solutions that enable organizations to manage firewall policies using a centralized management console. Rather than having atomic instances of policies across firewalls that are manually updated, keep all the policies in a central console, this is not the same as having a single policy for all firewalls.
Medium and large organizations may have multiple policies depending on location of the firewall and specific business purpose. But for each group or set of firewalls that are supposed to share a policy, the central console provides a top down view, which aids in auditing, reporting, troubleshooting and optimization.
Another benefit of keeping firewall policies in centralized repositories is the ability to automatically check these policies against regulatory requirements like SOX and PCI. If a change in a requirement occurs, automated policy tools can ease the update process by recommending rule changes in product specific syntax ensuring effective implementation of the rule regardless of vendor.
Automatic policy tools can also help determine the best place for the new rule so that it doesn’t overshadow or conflict with existing ones. When the auditor comes around asking to review the firewall rules, rather than having to collect stockpiles of configs from every device in the infrastructure, one or two reports from the centralized repository can do the trick.
In addition, security managers must be able to assess risk and vulnerability at any given time – for all relevant network security devices. The challenge is greatest in distributed organizations with multiple teams. Inevitably, different teams develop their own standards and working methodologies. To ensure that everybody is successfully implementing the right security policies, organizations need to implement automated solutions that can evaluate risk and compliance at all times.
Can you imagine if our counterparts in literature were so busy looking up whether Dorothy or the Tin Man could enter Emerald City that they either had a long line of people waiting to enter, or because of information they didn’t have on hand at the time, either let an enemy in or kept important allies out? Security professionals need a new approach to firewall deployment that provides both security and business continuity.
Firewall management solutions provide the ability to create much tighter rule bases that are inherently more secure, compliant and optimized to the needs of the business. Early ROI studies indicate that automation can reduce the time and cost of firewall audits by as much as 75%, and depending on the state of an organizations firewall rule bases, cut the time and cost of firewall management as a whole, in half.
At the end of the day, taking advantage well-applied automation isn’t just smart security – it’s smart business!