Is your firewall smarter than a 5th-grader?

If you did not set it up carefully, it may not be

Impish 5th grader
Chance Agrella

The firewall, long considered the fundamental means of protecting a network perimeter, has become somewhat ubiquitous of late. As proof of this, I did a brief interview with my 10-year-old nephew, a recent 5th-grade graduate. I asked him if he knew what a firewall was, to which he replied with a reasonable definition. He then proceeded to explain that it was necessary to forward ports on a firewall to play certain online games.

Despite a large part of the population knowing what a firewall is, many organizations either don't have one, or have one that is not implemented properly. According to a 2012 study by Symantec, 46% of corporate information resides outside of a firewall. While that number has no doubt improved, I suspect it is still unacceptably low.

For those without a firewall, the answer is simple — get one. My concern today, however, is those who have one that is not configured or working correctly but who draw a false sense of security because of its presence. Having one does little good if it functions like a 5th-grader installed it.

There are a very large number of firewall products on the market today. While some have complex capabilities, requiring strong expertise to configure, many are designed for "easy" installation by individuals in smaller businesses with limited technical knowledge. These firewalls get connected and undergo very basic configuration, after which the installer rests comfortably in the knowledge that their network is "protected."

In my experience, a firewall configured by someone who has not done their homework is of limited value. While I intend no offense in making a comparison between these individuals and the average 5th-grader, the result is the same.

Small and medium-size organizations do not have an exclusive on poorly functioning firewalls, however. I have reviewed many enterprise firewalls that have major configuration issues. In these cases, the installers know better, but due to a lack of care, or the failure to recognize the firewall as a living, evolving entity requiring regular attention, they don't function as intended.

Hopefully, you are now rethinking your false sense of security in having one. Great. Admitting you might have a problem is the first step. Now, how do you sort out whether or not it is providing the protection you need?  The following are some specific suggestions:

Check the vintage

A firewall, much like any other technological device, needs to be refreshed periodically. According to a recent study by Sophos Security, 51% of organizations surveyed have a firewall that's over three years old, and 34% had one over four years old. The life cycle of a firewall would vary based on whether the vendor continues to publish new firmware and add features, but in general, if your firewall is more than three years old, you need to take a hard look at it.

Review the configuration

Under normal circumstances, a firewall should deny all inbound traffic, with individual inbound rules added to allow for specific business needs. Your configuration should not have large blocks of inbound ports that are allowed. As a recent article in Business Solutions reminds us, controlling outbound traffic is important, too. You should be able to track any rule back to business documentation explaining why it is needed. If you can't find that, it is time to start over with your configuration.

Check your firmware        

The firmware on your firewall should be the most recent production release available from the manufacturer, and the release should be recent. If you discover that the manufacturer has not issued a release in some time, consider replacement. If your firmware is behind, get it updated as quickly as feasible.

Test it

The best way to know if your firewall is functioning properly is to test it. The comprehensive approach to this is a penetration test, often conducted by an outside organization. Penetration tests find open ports, which you then compare to your documentation. Additionally, these tests usually look for any major vulnerabilities resulting from any open ports. Such a penetration is recommended at least yearly. There are software products readily available to allow you to perform some testing yourself. Nmap is an open-source tool allowing you to perform a basic test. There are various commercial self-service tools, such as Metasploit, which has free (not for the faint of heart) and paid versions available, and Nessus.

1 testing Thinkstock

Treat it like a living entity

Your firewall may work fine today, and have a major vulnerability tomorrow. You need to monitor the logs, keep track of the firmware, and review the settings against your documentation to ensure that no unauthorized changes happen.

If you have decided that a refresh is appropriate, there are many to chose from, and no choice that is right for everyone. The following are some points to consider:.

  1. Look for a model that integrates next-generation features, such as intrusion prevention and deep packet inspection.
  2. Consider your network capacity requirements, now and in the next couple of years. You don't want the firewall to end up constraining your network.
  3. If you are thinking about improving the design of your network, such as implementing Zero Trust, make sure the features and port capacity support your plan.
  4. Consider the warranty and service plans available. Your firewall is the core of your network, and if it is down, so are you. Many vendors offer overnight replacement of failed units, but if that is not quick enough, redundant products are readily available.
  5. Decide who should install it. I recommend against asking your 5th-grader. While I believe that many organizations have the ability to handle installation themselves, this might be a good opportunity to use a third party for more expertise and objectivity.

Bottom line: If your firewall is not smarter than a 5th-grader, you need to fix it, today.

This article is published as part of the IDG Contributor Network. Want to Join?

New! Download the State of Cybercrime 2017 report