Americas

  • United States

Asia

Oceania

Contributor

Is your firewall smarter than a 5th-grader?

Opinion
Jul 14, 20155 mins
Network SecuritySecurity

If you did not set it up carefully, it may not be

The firewall, long considered the fundamental means of protecting a network perimeter, has become somewhat ubiquitous of late. As proof of this, I did a brief interview with my 10-year-old nephew, a recent 5th-grade graduate. I asked him if he knew what a firewall was, to which he replied with a reasonable definition. He then proceeded to explain that it was necessary to forward ports on a firewall to play certain online games.

Despite a large part of the population knowing what a firewall is, many organizations either don’t have one, or have one that is not implemented properly. According to a 2012 study by Symantec, 46% of corporate information resides outside of a firewall. While that number has no doubt improved, I suspect it is still unacceptably low.

For those without a firewall, the answer is simple — get one. My concern today, however, is those who have one that is not configured or working correctly but who draw a false sense of security because of its presence. Having one does little good if it functions like a 5th-grader installed it.

There are a very large number of firewall products on the market today. While some have complex capabilities, requiring strong expertise to configure, many are designed for “easy” installation by individuals in smaller businesses with limited technical knowledge. These firewalls get connected and undergo very basic configuration, after which the installer rests comfortably in the knowledge that their network is “protected.”

In my experience, a firewall configured by someone who has not done their homework is of limited value. While I intend no offense in making a comparison between these individuals and the average 5th-grader, the result is the same.

Small and medium-size organizations do not have an exclusive on poorly functioning firewalls, however. I have reviewed many enterprise firewalls that have major configuration issues. In these cases, the installers know better, but due to a lack of care, or the failure to recognize the firewall as a living, evolving entity requiring regular attention, they don’t function as intended.

Hopefully, you are now rethinking your false sense of security in having one. Great. Admitting you might have a problem is the first step. Now, how do you sort out whether or not it is providing the protection you need?  The following are some specific suggestions:

Check the vintage

A firewall, much like any other technological device, needs to be refreshed periodically. According to a recent study by Sophos Security, 51% of organizations surveyed have a firewall that’s over three years old, and 34% had one over four years old. The life cycle of a firewall would vary based on whether the vendor continues to publish new firmware and add features, but in general, if your firewall is more than three years old, you need to take a hard look at it.

Review the configuration

Under normal circumstances, a firewall should deny all inbound traffic, with individual inbound rules added to allow for specific business needs. Your configuration should not have large blocks of inbound ports that are allowed. As a recent article in Business Solutions reminds us, controlling outbound traffic is important, too. You should be able to track any rule back to business documentation explaining why it is needed. If you can’t find that, it is time to start over with your configuration.

Check your firmware        

The firmware on your firewall should be the most recent production release available from the manufacturer, and the release should be recent. If you discover that the manufacturer has not issued a release in some time, consider replacement. If your firmware is behind, get it updated as quickly as feasible.

Test it

The best way to know if your firewall is functioning properly is to test it. The comprehensive approach to this is a penetration test, often conducted by an outside organization. Penetration tests find open ports, which you then compare to your documentation. Additionally, these tests usually look for any major vulnerabilities resulting from any open ports. Such a penetration is recommended at least yearly. There are software products readily available to allow you to perform some testing yourself. Nmap is an open-source tool allowing you to perform a basic test. There are various commercial self-service tools, such as Metasploit, which has free (not for the faint of heart) and paid versions available, and Nessus.

Treat it like a living entity

Your firewall may work fine today, and have a major vulnerability tomorrow. You need to monitor the logs, keep track of the firmware, and review the settings against your documentation to ensure that no unauthorized changes happen.

If you have decided that a refresh is appropriate, there are many to chose from, and no choice that is right for everyone. The following are some points to consider:.

  1. Look for a model that integrates next-generation features, such as intrusion prevention and deep packet inspection.
  2. Consider your network capacity requirements, now and in the next couple of years. You don’t want the firewall to end up constraining your network.
  3. If you are thinking about improving the design of your network, such as implementing Zero Trust, make sure the features and port capacity support your plan.
  4. Consider the warranty and service plans available. Your firewall is the core of your network, and if it is down, so are you. Many vendors offer overnight replacement of failed units, but if that is not quick enough, redundant products are readily available.
  5. Decide who should install it. I recommend against asking your 5th-grader. While I believe that many organizations have the ability to handle installation themselves, this might be a good opportunity to use a third party for more expertise and objectivity.

Bottom line: If your firewall is not smarter than a 5th-grader, you need to fix it, today.

Contributor

Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of togoCIO.com. Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author