A variety of firewalls are available that examine different aspects of network traffic. All firewalls compare this traffic against a set of rules that mediate the flow of packets. As a business grows, the rule set grows to account for new risks, network segments, and users. The implications of evolving threat vectors was among the discussion topics at the Black Hat briefings. Avishai Wool, CTO and co-founder of Algosec, and I discussed the factors that influence firewall efficacy. According to Mr. Wool, poor change management leads to a redundant rule set. “25% of firewall changes,” said Wool, “are unnecessary.” Algosec’s firewall monitoring, testing, and rule optimization products provide powerful tools to the enterprise. If the organization does not understand its risk exposure, these tools are of little use. Firewalls, said Wool, must be considered in the following activities: Risk Management, Data Consolidation, and Change Management.Risk ManagementAccording to the SANS Institute, “firewall rules are a reflection of a company’s security policies, business goals, and organizational changes.” Firewall configuration must therefore be coordinated with management to ensure that all risks are taken into account. While firewalls mitigate certain risks, it is important to note that they introduce other risks into the environment. Management may perceive the firewall as a panacea and develop a false sense of security. If the firewall purchase decision was not guided by a risk assessment, the organization may still be open to certain attack vectors.Compliance requirements is a major driver for taking the firewall into account when formulating a risk management plan. PCI DSS audits, for example, include an examination of firewall rules and configuration. Those responsible for the firewall(s) must be able to show a clear connection between a risk and its mitigating rules or settings. “Firewall administrators must be able to simulate the effect of different policies on the network architecture in order to find the optimal solution. Since business risk is dynamic, there is no perfect rule set. That is risk management is critical”, said Wool. Data ConsolidationSecurity-in-depth is a model in which an asset is protected by several processes and devices to minimize the odds of compromise. The SANS Institute, for example, recommends that a firewall be complimented by the use of an intrusion detection system, deep packet inspection (DPI), and an anti-virus/anti-spam/anti-malware solution. Individually, each piece of this architecture handles different threat vectors. While firewalls may detect a port scanning attack, they may not notice a SQL injection exploit that might be detected through DPI. Avishai Wool agrees that a layered architecture handles a variety of threat vectors effectively. He adds that the information from each component must be consolidated for use in analyzing the firewall rules. “By combining the logs that show rule usage with routing data or intrusion detection logs, for example, we can accurately discern the risk landscape”, said Wool.Change ManagementEconomic pressures are driving companies to squeeze more value from their existing infrastructure. This includes security investments such as firewalls. Firewalls configured for different parts of the enterprise might be consolidated to reduce costs. The unified configuration may contain contradictory or redundant rules. At the very least, this scenario will lead to a performance hit on the firewall because every rule demands processing power. On the more extreme end, your control over network traffic will be effected and your environment opened to attack. According to Mr. Wool, “any enterprise change that involves a firewall requires a review of the rule set to ensure they address the associated risks.” In an October, 2008 SC Magazine article, Chrisophe Briguet recommended a centralize rule management system. “This not only simplifies management, but also protects against employees leaving or taking your policy configuration expertise with them.” While a review of management solutions is outside the scope of this post, I have included three guidelines that SearchSecurity recommends be applied to any change approach. Keep the rule base simple Document every rule Implement a change-control policy Related content opinion Positioning the Security Team Through Influence Part 1 Influence styles are a reflection of the influencers and, by extension, their team. Thus, they must understand the situations to which different styles are applicable. This series explores the common influence styles and their application. By Steven Fox Apr 21, 2012 3 mins Technology Industry IT Jobs opinion From Obstacle to Ally - Repositioning the Security Team Pt 1 By Steven Fox Apr 08, 2012 3 mins Technology Industry IT Strategy opinion Key Sessions at CISO Executive Summit 2011 By Steven Fox Dec 03, 2011 3 mins Business Continuity Data and Information Security Careers opinion Securing User Credentials On Mobile Devices By Steven Fox Nov 15, 2011 4 mins Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe