Some rules were made to be broken — but not the ones governing the next-generation firewalls in your enterprise. Yet creating firm rule sets that can secure corporate networks without negatively impacting business can be challenging.
“Next-generation firewalls require more work to set up because this is a migration and a change in the way firewall administrators have done things,” said John Stauffacher, senior consultant at IT advisory firm Accuvant. “It requires a bit more knowledge on the side of the security staff to identify the application — not just the Layer 4 information we currently use.”
Enterprises usually migrate the most prolific applications and services first, saving custom apps and secondary applications for later. Taking this approach eases a migration that can take more time than what was required with older technologies. In a survey released earlier this year by firewall management vendor AlgoSec, 56 percent of 179 respondents said their next-generation firewalls added work to their management process.
The finding did not come as a surprise to John Pirc, research vice president at NSS Labs, who has taken note of the many additional features and options that next-generation firewalls offer. Policies can now be configured by department and even by individual, which takes more time. But Pirc said these extra processes are bound to become less burdensome for IT departments.
“I’m sure over time this will decrease, but overall, I think they are worth it,” he said.
Fine-tuning access control
It is critical that IT administrators understand inbound versus outbound access rules, as well as the difference between creating negative controls versus a completely positive security model, explained Jody Brazil, chief technical officer of IT security firm FireMon. The latter approach entails allowing only is needed and blocking the rest, he said.
“Controlling time spent on Facebook, access to personal email and inappropriate sites are common new controls implemented in next-generation firewalls not previously actively controlled in the stateful firewall,” Brazil said. “These rules to block access to certain applications are very different from the traditional model of a firewall.”
Inbound access must still control the protocol and port, he said, adding that the “biggest mistake” made with next-generation firewalls is to believe that all access should be controlled according to the applications.
“Performance of the firewall and security implications can put your security at risk if the protocol and port is not controlled.” Brazil warned. “Using ‘default application port’ is a perfectly acceptable solution when defining an application. However, leaving the protocol and port as ‘any’ is a big mistake.”
Starting from scratch
If an organization is building application-related firewall rules from scratch, a good approach is to run the firewall in “learning mode” to gain visibility into applications, users and groups, advised Sam Erdheim, a senior security strategist with AlgoSec. This kind of information can then be used to find answers to the who, what and how-often questions needed to build sound policies.
“Gradually build out the more granular policies so that you can tighten policies without impacting the business,” Erdheim recommends. “This is key because, at the end of the day, the business needs to run.”
Erdheim also advised leveraging the application categories provided by next-generation firewall vendors to block applications that shouldn’t be assessable. Unsurprisingly, testing is also an important part of the process, he added.
“There are solutions that can simulate the change before it is processed and implemented so that an organization understands the impact of that rule change from a risk and compliance perspective,” Erdheim said. “From there, they can either accept that risk or re-plan/deny the rule change. Rule recertification is also an important step to consider as a way to ensure that a rule’s use is still valid and necessary.”Tags: Security,Technology