Is Your Firewall A Fire Hazard?

by Calum Macleod, Regional Director at Tufin Technologies

With the economy taking quite a bashing and the housing market looking pretty miserable the question might be: Where is the silver lining? And I think I made have found it for those poor souls who have just seen their plans of moving to a new house dashed – you don’t have to tidy up!

Let’s face it if you lived more than a couple of years in the same place you really don’t want to start packing. After all how much of the “junk” do you get rid off and if you’re living with someone who saves everything from empty shoe boxes (because you never know when they might be useful) to Christmas cards from the last 10 years (because you just may want to check who sent you cards in the 20th century) then you’ve already lost. Cupboards are loaded with stuff you never really needed or no longer use. Old Nintendo games are gathering dust along with those never to be played again cassettes, unless of course the recession results in CD players disappearing and we end up back to the good old days of Amstrad stereos with double cassette decks – how many of you still have two cassette copies of every cassette they bought just in case the original that was never used got damaged!!Enough!

Just like the firewalls in most companies. Ask a firewall administrator to tidy up a rule base and get rid of every unused rule and object; or if you really want to make someone’s life miserable set them the task of finding all shadowed or overlapping rules or objects across your infrastructure and I guarantee that after a few hours they’ll either resign or they’ll be carried away in a straight jacket. However the problem is that the longer you do not “tidy up” your firewall there is a major risk that it catches “fire” and causes untold damage to your organization.

Firewalls are not, as some might suspect, something you install once and set it up and then leave it alone. In most organizations the firewall configurations are changing on a daily basis with continuous requests for services to be added, removed, and modified. And this is not only a complex procedure but also very risky for an organization.

No matter how well qualified your firewall administrator is, or how experienced, it is impossible for anyone to be really on top of every rule in every firewall. For example how many of your staff totally understand your policies related to what services are allowed and who might use them. This is something that even the most dedicated administrator would find impossible to keep track of. Add to this that not all firewall administrators are created equal and you will find that very often the addition of a new service results in major disasters because a change was made without first understanding the implications to other services. The bottom line for many companies is that they are not in control of their firewalls.

So what are some of the things that you should be addressing?

  1. Tidy up your rule base – Firewalls are very often managed like in trays. Every few days something new gets added on top of the existing configuration with the result that rule bases increase to an unmanageable size. Very often rules are overlapping and nobody takes the time to check this, or more likely simply do not where to start. As more and more rules are added, the performance of the firewall decreases because the firewall has to process through possibly hundreds of rules to find a match. Very often companies purchase new firewalls because there’s just no room in the “old house”. It’s kind of like running out of disk space on your notebook so you buy a new notebook with a bigger hard disk and copy everything from the old one to the new one. Cleaning the rule base can very often result in a reduction of up to 50% of rules because they are either partial shadowed (overlapping) with other rules or they are simply never used. The bottom line is effective management of your rule base can extend the lifespan of a firewall by many years – in other words there’s no need to buy a new one. Bottom line no unnecessary expenditures!
  2. Monitoring any changes – Ask any security officer if they can be sure that firewall administrators adhere to corporate policies when changing firewall configurations and you’ll see tears in their eyes. Faced with increased scrutiny from auditors, many security departments need to provide monthly or quarterly reports on firewall changes. Many have absolutely no mechanism in place to get access to the information. In fact they would not even be able to pinpoint who actually made the changes. At a time when organizations are reducing IT departments, and in many cases getting rid of contract staff, it is very often the case that contract staff are used to carry out roles such as firewall administration. Additionally enforcing policies can simply not be done manually. Having a policy that a service such as Kazaa is not allowed, and being able to enforce it is a very different proposition. It is essential that policies are enforced and monitored
  3. Downtime – How does your organization translate a business service request to an actual change on the firewall? Would your staff fully understand what exactly needs to be changed and where. How much time is lost and money spent trying to figure out why not only the new service is not working but in fact half the network is off the air! Offline simulation of changes should be standard practice. In fact a workflow that provides an audit trail from service request through to implementation should really be standard practice. It is one thing to approve a change and design and another to ensure that the change has been implemented as designed!

Of course there are many other issues to be considered but at least if you start with these three steps an use tools that are readily available, you’ll discover that things will be a lot tidier and you won’t just be shifting things from one “house” to another. By the way just found some LPs. Anyone interested in “Terry Jacks – Seasons in the Sun”.