In-Depth
Tackling Today's Firewall Management Issues
Thanks to the ubiquity of firewalls, security administrators have no shortage of options and solutions. We examine the state of firewall management in today's data center.
By Reuven Harrison
Even if a homeowner doesn't have a dog that barks when an intruder enters their house, most have a fence guarding the perimeter of their yard. In the world of IT security, the network firewall is that fence. The ubiquity of firewall technology does not mean that it has become commoditized, however, or that the challenges of managing firewalls have evaporated. On the contrary, the reality of protecting today's enterprise means organizations must navigate an increasingly complex -- and increasingly massive -- number of firewall rules to ensure their continued efficacy.
Enterprises have no shortage of factors to weigh when choosing a firewall vendor. For a long time, the fence I described above took the form of a stateful firewall that would block or allow traffic based on massive sets of rules established by administrators. As the years have worn on, however, the e-business landscape has changed, and firewall operations have followed suit. The myriad of applications tunneling over Port 80 or Port 443 has resulted in the growing adoption of "next-generation firewall" technology.
Next-generation firewalls are application-aware and drill down into traffic to provide greater granularity. They enable administrators to filter traffic according to criteria such as user identity. The increased control and visibility into network traffic promised by next-generation firewalls has fueled their popularity, but getting the best out of these devices requires an understanding of your organization's security needs to avoid adding complexity or hampering performance with unneeded features.
The push to combine more capabilities beyond simply blocking and allowing traffic has also led to the growth of the market for unified threat management appliances (UTM), which Gartner says increased nearly 20 percent between 2010 and 2011 (to an estimated $1.2 billion worldwide). Built for simplicity, UTM devices offer enterprises a comprehensive solution that combines network firewall features with capabilities such as content filtering and gateway anti-spam.
These devices can reduce network complexity, but the individual technologies being bundled together are not always best-of-breed. Additionally, other network vendors such as F5 and Blue Coat Systems have networking gear (Application Delivery and load balancers, respectively) that integrate security and firewall-like functionality into their solutions that enable enterprises to streamline multiple devices into one.
Enterprises must figure out which approach best suits their needs. They have to understand what they are trying to protect. For example, is the firewall guarding an enterprise data center, a small branch office, or a segment of the network that has highly sensitive information? Each scenario has a very different set of business and technology requirements that could play to a specific firewall vendor's strengths.
Once the decision to deploy a firewall is made, the truly challenging part -- managing the device -- begins. It is here that vendors often differ. Some have GUI-oriented tools; others use a command-line. Regardless of the approach, one thing is certain: firewalls are not a "set-it-and-forget-it" technology. Security needs can change as services, applications, and users change. Rules that are no longer serving the needs of the enterprise can hurt performance and introduce risk in the form of ports being improperly left open due to conflicting rules. A simple mistake -- say, for example, entering a wrong number -- can add extra hosts to a subnet. These kinds of issues could easily be overlooked without automated tools.
Unfortunately, the native management features in firewall products do not always meet an enterprise's need, often lacking the granularity so security administrators can analyze and correlate information from multiple firewalls to ensure their rules and access controls are effective. The difficulties of managing firewalls have not eased; they have worsened.
In fact, in a survey we released in November, we discovered that 85 percent of the network security professionals we polled had to modify up to half of the firewall rule changes they make later on because they were designed incorrectly. That same survey found that 28 percent said it takes them between several hours and several days to design a rule change, and 66 percent felt their change management processes either could place the organization at risk or already does.
Getting a handle on this process is vital for network security and general operations, and requires a firm grasp of network topology. Administrators need to understand access flows, particularly on large networks with multiple firewalls and subnets, so that enterprises are clear about what routers and firewalls must be modified to ensure, for example, that services do not get improperly dropped due to rule changes.
This is closely tied to another common problem facing enterprise firewalls: a lack of documentation. Documenting firewall rules ensures administrators understand why the change was made, who made it, when it was made, who was involved, and other relevant information that is critical for compliance audits because access rules may need to be justified.
Even without compliance audits however, organizations should be doing their own periodic audits as well. Firewall audits should be conducted whenever you adopt a new firewall, introduce new IP-capable applications, or take other actions that could impact network security.
When changes occur, it is important to monitor systems for any negative impacts, such as dramatic changes in traffic. For similar reasons, any access requests should be tracked, and organizations should put a system in place to show that requests went through a business approval process.
Smart firewall management also means utilizing data from firewall logs. This data is vital for troubleshooting as well as for determining rule usage. Unused rules obviously will not appear in logs because they are not being used, a telltale sign that they can be eliminated. Handling this process manually can be challenging to say the least; fortunately, there are automated tools that can help simplify the task for administrators.
To be sure, the complexity of today's networks has heightened the challenges facing firewall administrators. There are more firewalls, more types of firewalls, and more devices that closely interact with them that all must be managed. As enterprises march into the future, they are going to require both continued innovation by vendors and vigilance by IT administrators to ensure their firewall deployments remain effective.
Firewall management technology has matured to the point where it offers administrators much more than a life preserver to prevent them from sinking into complexity. It gives them the ability to centrally and strategically manage firewalls, switches, and routers to reduce risk, streamline operations, and improve security and compliance management.
Reuven Harrison is a co-founder and the chief technology officer at Tufin Technologies, a network security company that over the past seven years has pioneered the development of firewall management solutions. Reuven has a diverse background, including a degree in Mathematics and Philosophy from Tel Aviv University and more than 20 years of software development experience (including four years at Check Point Software). Reuven can be reached at [email protected]