Business Risk Exposure and Firewall Efficacy

September 15, 2009 by ADMIN

Share |

By Steven Fox, Founder of SecureLexicon

A variety of firewalls are available that examine different aspects of network traffic, and all firewalls compare this traffic against a set of rules that mediate the flow of packets.

As a business grows, the rule set grows to account for new risks, network segments, and users.

The implications of evolving threat vectors was among the discussion topics at the Black Hat briefings.

Avishai Wool, CTO and co-founder of Algosec, and I discussed the factors that influence firewall efficacy.

According to Mr. Wool, poor change management leads to a redundant rule set. “25% of firewall changes,” said Wool, “are unnecessary.”

Algosec’s firewall monitoring, testing, and rule optimization products provide powerful tools to the enterprise.

If the organization does not understand its risk exposure, these tools are of little use.

Firewalls, said Wool, must be considered in the following activities: Risk Management, Data Consolidation, and Change Management.

Risk Management

According to the SANS Institute, “firewall rules are a reflection of a company’s security policies, business goals, and organizational changes.”

Firewall configuration must therefore be coordinated with management to ensure that all risks are taken into account.

While firewalls mitigate certain risks, it is important to note that they introduce other risks into the environment.

Management may perceive the firewall as a panacea and develop a false sense of security.

If the firewall purchase decision was not guided by a risk assessment, the organization may still be open to certain attack vectors.

Compliance requirements is a major driver for taking the firewall into account when formulating a risk management plan.

PCI DSS audits, for example, include an examination of firewall rules and configuration.

Those responsible for the firewall(s) must be able to show a clear connection between a risk and its mitigating rules or settings.

“Firewall administrators must be able to simulate the effect of different policies on the network architecture in order to find the optimal solution. Since business risk is dynamic, there is no perfect rule set. That is risk management is critical,” said Wool.

Data Consolidation

Security-in-depth is a model in which an asset is protected by several processes and devices to minimize the odds of compromise.

The SANS Institute, for example, recommends that a firewall be complimented by the use of an intrusion detection system, deep packet inspection (DPI), and an anti-virus/anti-spam/anti-malware solution.

Individually, each piece of this architecture handles different threat vectors. While firewalls may detect a port scanning attack, they may not notice a SQL injection exploit that might be detected through DPI.

Avishai Wool agrees that a layered architecture handles a variety of threat vectors effectively.

He adds that the information from each component must be consolidated for use in analyzing the firewall rules.

“By combining the logs that show rule usage with routing data or intrusion detection logs, for example, we can accurately discern the risk landscape”, said Wool.

Change Management

Economic pressures are driving companies to squeeze more value from their existing infrastructure. This includes security investments such as firewalls.

Firewalls configured for different parts of the enterprise might be consolidated to reduce costs.

The unified configuration may contain contradictory or redundant rules. At the very least, this scenario will lead to a performance hit on the firewall because every rule demands processing power.

On the more extreme end, your control over network traffic will be effected and your environment opened to attack.

According to Mr. Wool, “any enterprise change that involves a firewall requires a review of the rule set to ensure they address the associated risks.”

In an October, 2008 SC Magazine article, Chrisophe Briguet recommended a centralize rule management system.

“This not only simplifies management, but also protects against employees leaving or taking your policy configuration expertise with them.”

While a review of management solutions is outside the scope of this post, I have included three guidelines that SearchSecurity recommends be applied to any change approach.

Keep the rule base simple
Document every rule
Implement a change-control policy

Steven Fox is an independent information security consultant. He holds a Masters in Business Information Technology from Walsh College, an NSA recognized Center of Excellence. He serves on the board of the Detroit ISSA chapter and is a columnist for the ISSA Journal. He is also the founder of SecureLexicon , a security advisory firm addressing the unique security concerns of nonprofit organizations.

He can be contacted at sfox@securelexicon.com
Follow him on Twitter - @SecureLexicon
Join Steven’s LinkedIn Network

Originally published at CIO

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.