• United States



Factors that Influence Firewall Efficacy

Sep 06, 20094 mins
Business ContinuityCareersData and Information Security

A variety of firewalls are available that examine different aspects of network traffic.  All firewalls compare this traffic against a set of rules that mediate the flow of packets.  As a business grows, the rule set grows to account for new risks, network segments, and users.  The implications of evolving threat vectors was among the discussion topics at the Black Hat briefings.  Avishai Wool, CTO and co-founder of Algosec, and I discussed the factors that influence firewall efficacy.  According to Mr. Wool, poor change management leads to a redundant rule set.  “25% of firewall changes,” said Wool, “are unnecessary.”  Algosec’s firewall monitoring, testing, and rule optimization products provide powerful tools to the enterprise.  If the organization does not understand its risk exposure, these tools are of little use.  Firewalls, said Wool, must be considered in the following activities: Risk Management, Data Consolidation, and Change Management.

Risk Management

According to the SANS Institute, “firewall rules are a reflection of a company’s security policies, business goals, and organizational changes.”  Firewall configuration must therefore be coordinated with management to ensure that all risks are taken into account.  While firewalls mitigate certain risks, it is important to note that they introduce other risks into the environment.  Management may perceive the firewall as a panacea and develop a false sense of security.  If the firewall purchase decision was not guided by a risk assessment, the organization may still be open to certain attack vectors.

Compliance requirements is a major driver for taking the firewall into account when formulating a risk management plan.  PCI DSS audits, for example, include an examination of firewall rules and configuration.  Those responsible for the firewall(s) must be able to show a clear connection between a risk and its mitigating rules or settings.  “Firewall administrators must be able to simulate the effect of different policies on the network architecture in order to find the optimal solution.  Since business risk is dynamic, there is no perfect rule set. That is risk management is critical”, said Wool.

Data Consolidation

Security-in-depth is a model in which an asset is protected by several processes and devices to minimize the odds of compromise.  The SANS Institute, for example, recommends that a firewall be complimented by the use of an intrusion detection system, deep packet inspection (DPI), and an anti-virus/anti-spam/anti-malware solution.  Individually, each piece of this architecture handles different threat vectors.  While firewalls may detect a port scanning attack, they may not notice a SQL injection exploit that might be detected through DPI.

Avishai Wool agrees that a layered architecture handles a variety of threat vectors effectively.  He adds that the information from each component must be consolidated for use in analyzing the firewall rules.  “By combining the logs that show rule usage with routing data or intrusion detection logs, for example, we can accurately discern the risk landscape”, said Wool.

Change Management

Economic pressures are driving companies to squeeze more value from their existing infrastructure.  This includes security investments such as firewalls.  Firewalls configured for different parts of the enterprise might be consolidated to reduce costs.  The unified configuration may contain contradictory or redundant rules.  At the very least, this scenario will lead to a performance hit on the firewall because every rule demands processing power.  On the more extreme end, your control over network traffic will be effected and your environment opened to attack.  According to Mr. Wool, “any enterprise change that involves a firewall requires a review of the rule set to ensure they address the associated risks.”

In an October, 2008 SC Magazine article, Chrisophe Briguet recommended a centralize rule management system.  “This not only simplifies management, but also protects against employees leaving or taking your policy configuration expertise with them.”  While a review of management solutions is outside the scope of this post,  I have included three guidelines that SearchSecurity recommends be applied to any change approach.

  • Keep the rule base simple
  • Document every rule
  • Implement a change-control policy

Steven F. Fox provides security guidance to ensure compliance with Federal standards and requirements as a Senior Security Architecture and Engineering Advisor for the IRS. Fox contributes to multiple working groups including the IPv6 transition team, Developer Security Testing workgroup and the Security and Privacy workgroup. He brings a cross-disciplinary perspective to the practice of information security; combining his experience as a security consultant, an IT Auditor and a systems engineer with principles from behavioral/organizational psychology to address security challenges. He is a syndicated blogger covering IT Governance, Risk Management and IT-Business fusion topics. He also volunteers his time to the Ponemon Institute and Security BSides Detroit. Follow him on Twitter - Join his LinkedIn network -