Firewall Management Survey Reveals Real-World Practices
What better place than the show floor of April’s Infosecurity Europe 2012 conference to ask 119 network security specialists about their firewall management practices?
The study, conducted by Tufin Technologies (a security policy management solutions provider) and released today, found that only 6 percent of respondent’s organizations have implemented continuous firewall compliance; 39 percent are considering moving to continuous compliance to satisfy legislation such as the EU Directive on Privacy. More than half (51 percent), however, aren’t considering such a move “just yet.”
The survey also reported that 28 percent perform firewall audits quarterly, and a third perform the audit yearly. More than one in ten (12 percent) never perform an audit, and 5 percent perform the task once every five years.
Security administrators clearly have their hands full: 62 percent say they have, on average, hundreds of rules in their rule base, which Tufin says is a 14 percent increase from its 2011 survey. About 8 percent say their rules number in the thousands, down from 8 percent in last year’s study. One in ten report that the rules include “ANY” in one of the rule’s fields; 36 percent say up to 10 percent of their rules contains the term.
It’s no easy task: 65 percent of respondents say they manage four or more distinct network security consoles -- and nearly a third (32 percent) of all respondents manage more than 10.
Survey participants, for the most part, think their rule base is up to date. Only about 40 percent say less than a quarter of their rules are obsolete, and 35 percent say no more than 5 percent of their rules are out of date. These figures are similar to 2011’s survey.
Changing rules has been problematic for most participants: 62 percent answered “yes” when asked, “Have you, or any of your colleagues, ever been asked to make a rule/configuration change against your better judgment?”
Respondents are almost evenly divided when it comes to whether their companies “are focusing on cost savings at the expense of IT security” -- 48 percent said yes, 50 percent said no. More than a quarter (27 percent) of those surveyed think their IT security budget is being “spent on compliance issues that do not improve security.”
-- James E. Powell
Editorial Director, ESJ
Posted on 07/10/2012 at 11:53 AM