We have entered the application age and while there are plenty of productivity benefits for most organizations, there are also risks. In addition to the increased use of applications, a more mobile workforce and more sophisticated threats have driven an evolution in the way we must secure the gateway.
Enter next-generation firewalls, which Gartner predicted in its IT Market Clock for Infrastructure Protection 2011 will increase the commoditization of stateful firewalls within the next couple of years.
However, while NGFWs provide you with more granular control, they also in turn can increase the complexity of your policies and require some additional planning and considerations. In a recent survey, The State of Network Security 2012, 84% of respondents stated that NGFWs help them feel more secure, but 76.1% noted a cost of managing next-generation firewalls in terms of administrative burden.
For example, without careful design and maintenance, a poorly optimized NGFW policy could take what was a single rule allowing http and become a policy that includes 10,000 new rules, one per application – creating more opportunity for error and risk.
Next-Generation Firewalls: Their Place in the Network
Next-generation firewalls go beyond filtering traffic from port 80 or 443 and deliver more control by providing the ability to filter by application type and user identity. With this added granularity you can define what groups of users can do with a particular application, which allows for better security and ultimately a business advantage (i.e. the marketing team needs to be able to post to Facebook, but a developer does not).
The first and primary point to focus on in the network for NGFW deployment is for external Internet traffic because many applications are Internet applications, such as Facebook, P2P, email and Web meeting tools.
Deploying at the edge is where NGFWs can significantly improve your security if the right policies are applied. From there, you can add as necessary to branch offices and to the data center, where you should know what applications are running on data center servers and who has been granted access.
Firewall Policy Considerations
With more granular control comes more complexity. The more complex your network policies are, the greater opportunity there is for misconfigured firewalls. And according to Gartner, 95% of firewall breaches are due to misconfigurations – as opposed to flaws with the firewalls. If policies are set at an application level, you must understand each application, its business value to different users and any potential risks that come with it.
Firewall policy decisions are no longer black or white. As the rule sets and features increase, so does the complexity. Some questions you must ask yourself (and answer!) before leveraging the application and user-aware policies available to you in a next-gen firewall are:
- How many more change requests per week should you expect to process?
- Can your existing team handle the extra load without degradation to turnaround time?
- Will you require additional headcount?
- What is the impact if you define policy via rules like “block social networks, file sharing and video streaming, and allow all other Web traffic”?
IT must understand what applications are needed by what users and provide access – without slowing down business productivity and without opening security gaps for data leakage or malware.
Here are six tips for managing next-generation firewall policies:
- Tune your policies. Run regular reports to spot new applications in use on the network and understand any trends and impact from a security and performance perspective. Actionable intelligence regarding application usage is extremely helpful in optimizing policies and removing unused applications from policies. Identify rules that can be tightened based on application and user/user group needs. For example, if an application is only required by one group of users (i.e. marketing team needs access to Facebook) then that application can be opened up to that specific group and can be restricted from others.
- Reorder rules to improve performance. Since firewalls sequentially sift through endless rule sets to identify the rule that matches every packet, another way to optimize your next-generation firewall policy is to reorder rules based on throughput (rules where there is heavier application usage should be on top). This can help address any potential performance issues and delay what otherwise would be necessary hardware purchases.
- Identify rules to remove from the rule base. Oftentimes firewall rules are forgotten about and even duplicated through change requests. Being able to identify these types of rules can significantly help you reduce the overhead on your admin team and on the firewall.
- Run regular risk queries. Whether running a query from your DMZ to Internal or against specific applications, there are a lot of known risks and configuration best practices you can leverage (i.e. NIST, PCI, etc.) to identify vulnerable rules and understand the remedies. You should also define acceptable applications for your organization and then create exceptions or segment by users/user groups as needed. Additionally, recent research has shown that common risks in firewall policies are lax outbound policies.
- Ensure continuous compliance. Run reports to ensure that your policies are in compliance with regulatory requirements such as PCI DSS, SOX, etc., and also your own internally defined standards.
- Automate the firewall change request process. Maintain your optimized and risk-free policy over time by automating the firewall change request process. With traditional firewalls, the primary fields for change management consist of source, destination and port, but with NGFWs it expands to source, destination, port AND users and applications, creating more opportunities for change requests to pile up very quickly.
Next-generation firewalls certainly provide some additional benefits over traditional firewalls, but in order to truly reap the benefits without adding complexity and in turn risk, you must map out a plan in advance of your implementation and have a process to manage these policies over time in the context of your broader network environment.