Firewalls remain a critical component of network perimeter defense. These devices guard the gates of corporate enterprise networks. More advanced organizations deploy firewalls inside their internal network preventing lateral movement by intruders.
Enterprises globally must harden existing firewall configurations; this is a non-negotiable activity. Over time firewall configurations experience a “drift” between what the business requires and what’s become obsolete. Organizations rarely hesitate to place new objects and rules in their firewalls; they rarely review and remove outdated components. Enterprises must regularly evaluate what their firewalls do, why they do it, and, most importantly, should these devices continue their status quo.
Legacy firewall objects and rules increase threat vectors for organizations. As seen with the Capital One breach in 2019, a misconfigured web application firewall allowed a disgruntled former AWS employee access to critical data. This type of breach cannot happen with organizations that routinely “care and feed” their firewall deployments. Organizations, large and small, experience day-to-day operational changes impacting network and information security. Utilizing critical technologies that compare current configurations with existing application use and network traffic, reduces threat vectors and enhances corporate defensive posture.
When organizations add devices, applications, or network segments, requests are made of the firewall administrators to enable traffic. This “commissioning” procedure usually goes through a change management process and potentially an architectural review board. Creation has a process. This absolutely improves security through review and human interaction.
Sadly, decommissioning rarely receives equal attention either with process or people. Due to this fact, firewalls grow and grow with rarely a question asked as to where an organization’s current status sits from a business need or security perspective. Firewalls that experience configuration “drift” boosts the threat of breach and data loss.
Business leaders should understand and address this critical lack of security within corporate and government networks.
Technologies exist which help organizations remove outdated rules and objects. Newer technology exists to scan environments to identify what traffic resides in the network.
Powerhouses lead this burgeoning sector. CIO, CISO and even CEOs and CFO’s need to know this technology exists. These tools are not a “nice to have” — they are a “must-have.” No one should believe firewall configuration review, auditing, and especially application analysis are secondary requirements. Both networking and information security teams must work with executive leadership, risk management, and application development to understand the current state. After clearly knowing what the firewall configuration looks like, analyze existing environments. Finally, perform gap analysis, clean up and remediate outdated objects, rules and other associated components in the environment.
While firewalls are as old as networking, unfortunately, as I’ve written before, we are where we have always been. Vendors are helping solve an age-old problem and enable organizations to move forward to the next level of security. These companies provide key capabilities around firewall management, auditing and automation. Some vendors go one critical step beyond because they have a newer application-centric mindset. This perspective led to the creation of technology that enables discovery, provisioning and decommission connectivity for business applications. For organizations looking to substantially increase their security maturity in the networking space, this application scanning capability is second to none. Network security must reside at the forefront of business leaders’ security mindset; they can no longer sit back and think that firewall review is a secondary consideration.
Firemon reports that by 2023, 99% of all firewall breaches will be caused by misconfiguration, aka human error. One powerful example of human error with networking involved a massive Internet outage when a Cloudflare engineer made a configuration error in their backbone network. Utilizing tools that automate this capability substantially reduces human error-related outages and breaches. Some vendors excel with application scanning and comparing actual traffic to firewall implementations. Other vendors enable organizations to automate their security policy. Both of these organizations add extensive value to corporations and governments alike. Business and security leaders in organizations must utilize these technologies and capabilities. Hardening networks and firewalls should rise to the top of organizations serious about information security.
Too often, organizations view security, particularly firewall management, as an optional technology. Routinely when discussing security solutions with customers, I hear, “we have other priorities.” They tell me firewall review “is not important.” After bringing in my 30+ years of experience and explaining what IBM and myself see in the field, customers open up to hearing new ideas. If we do what we’ve always done, we will get what we’ve always had. As I’ve written before, something has to change. Breaches continue getting worse, as we just saw with the Apache Log4j vulnerability. Organizations spend more and more money paying ransoms or funding insurance premiums. Business leadership must shift the mindset to post breach recovery mechanisms and place ideation within the prevention, a la firewall configuration management.
As I discuss in my talk on Business Leadership and Cyber Security Integration, senior leaders must engage. Risk management, CFO’s, CEO’s and even board members need to participate in the cybersecurity dialog. Understanding the risk in firewall misconfigurations and acting is a good start for entities that require security enhancement. Enterprises must understand that firewall analysis, audit and alignment with application traffic takes precedence over other security projects currently staged for deployment.
