Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

How to avoid the complexity risks associated with next-generation firewalls

Next-generation firewalls can be a real headache for the IT department; Sam Erdheim shows how to maximise security while avoiding the complexity that such firewalls can bring.

Evolution isn’t an easy process. Take firewalls, for example: increased mobility, virtualization, security consolidation and the rise of more sophisticated threats, have caused the stateful firewall to evolve into the next generation firewall (NGFW). These support additional policy granularity and control, including application control, intrusion prevention systems (IPS), anti-malware, email security and more.

But this comes at a cost: added complexity. Unless NGFW policies are carefully designed and maintained, they can take what was a single rule (for example, allowing http://) and turn it into a policy that includes thousands of new rules, one per application – in turn creating extra opportunities for introducing error and risk.

In a recent Algosec survey, 56.5 percent of respondents who had deployed NGFWs stated that they did so to boost security and improve protection against attacks. But there was a trade-off for the enhanced security: 56 percent of respondents said they had increased work to manage firewall processes with NGFWs, and 46 percent citing they needed to make more changes with their NGFWs deployed.

However, there are methods and approaches that IT and infosecurity teams can use to minimise the complexity and workload in managing NGFWs and their policies. Here, we will take a closer look at the issues involved in implementing and controlling NGFW security policies.

Next-generation policy matters

Typically, when replacing a traditional firewall with a NGFW there are two possible approaches to developing and applying policies:

a) migrating policies from the stateful firewall to the NGFW;
b) building the rule base from the ground up.

With the first approach, while some NGFW vendors offer their own tools for conversion, you should also consider using a firewall policy management solution. This can compare the policies between the firewalls to ensure the NGFW is properly configured. Then the NGFW will pull in application, user and group information, that can be used to build more granular policies.

With the second approach, the original stateful firewall remains operational while the NGFW runs in a ‘learning mode’ to gain visibility of applications, users and groups. This information will be used to understand who is using what, and is the starting point to building the new NGFW policy. In either case, it’s logical to gradually build out more granular policies to improve security without impacting business productivity. Some NGFWs are configured with application categories to help with the process of managing policies, and these can be a useful starting point.

The next stage is to optimise and manage your NGFW policies over time, in the context of your network. Here are seven steps to help you quickly achieve this:

1. Gain visibility of policies
You can optimise policies by looking at what business and web applications are used by whom, and how often. Run regular reports to spot new applications in use, and to understand any impact from both a security and performance perspective: this helps in optimising policies, and in removing unused applications from policies. For example, if an application is only required by one group of users (such as the marketing team needing access to Facebook), that application can be opened up to that specific group and restricted from others.

2. Reorder rules to improve performance
As firewalls sequentially sift through endless rule sets to identify the rule that matches every packet, another way to optimise next-generation firewall policies is to reorder rules based on throughput (rules involving heavier application usage should be on top). This can help address potential performance issues.

3. Identify rules to remove from the rule base
Firewall rules can often be forgotten about, or even duplicated through change requests. Being able to identify unused, duplicated or empty rules can significantly reduce the overhead on your admin team and on the firewall.

4. Run regular risk queries
You should define acceptable applications for your organization and then create exceptions, or segment by users or user groups as needed. Some examples of different applications include:

  • Business appropriate applications;
  • Productivity apps such as Dropbox, RDP and TeamViewer which can open security gaps;
  • Inappropriate file-swapping applications;
  • Vectors for sensitive data loss like personal network storage;
  • High-bandwidth applications such as streaming video sites;
  • Malicious applications - cyber-warfare tools, corporate espionage trojans, identity-stealing ‘bots’, viruses and worms, etc.

A misconfigured rule, a backdoor, or a temporary rule that gets forgotten about and stays in place are all risks that should be tracked. Another example is a remote access control application, which enables IT and support to remotely address computer and networking issues. While this type of application is a real business need for specific users, it can also be used to bypass security policies and create a potential access point for malicious parties.

5. Ensure continuous compliance
Once you have created your baseline, you should be able to run reports to ensure that your policies are in compliance with regulatory requirements such as PCI DSS, SOX and other relevant mandates as well as your own internally defined standards.

6. Automate firewall change request processes
Maintain your optimised and secure policies over time by automating the firewall change request processes. The extra granularity of NGFWs means more opportunities for change requests to pile up. Consider a firewall-aware change workflow solution that understands network topology and provides accurate and actionable analysis to ensure changes are actually needed and don’t create new risks.

7. Manage ALL of your firewall policies
Finally, remember that it’s not just the NGFW policy that you have to analyse and manage: you will also have other devices as well, including traditional firewalls, hypervisor-level firewalls, routers, secure web gateways, proxies, VPNs and other related security devices. Many organizations have multiple firewalls and devices from different vendors spanning both physical and virtualised environments. Ensuring policy management efficiency through standardised rule interpretation, centralised management and reporting across all of your firewalls is key to improving operations, simplifying audits and reducing risk.

In conclusion, just as standard firewalls need to be managed due to the complexity of having thousands of rule sets and the potential for errors, this need increases greatly with NGFWs. Their application control and whitelisting capabilities introduce both policy multiplication, and complexity. However, with sound, automated firewall policy management, you can enjoy their security benefits while minimising the complexity.

The author: Sam Erdheim is senior security strategist at Algosec.

•Date:11th July 2013 • UK/World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here