Solution: the firewall is now a composite device or service amalgamating a range of security layers. It's as if organisations invented security starting with firewalls. Worrying about this is futile.
Firewall management is an oxymoron
The treacherous zone of firewall management could consume whole seminars. The central structure of firewall security is the policy, a design challenge from which specific sets of rules emerge. The mechanics of this can quickly go wrong as organisations struggle with change management as devices, uses and applications are granted access which must be revoked at a later date. Cleaning up rule bases can be carried out through the firewall management systems that come with hardware platforms or through third-party management tools.
"New access is added but old, expired access, is rarely removed. Consistent repeatable processes are lacking. Complexity grows, efficiency suffers, and probability for error and risk is greater," comments FireMon VP of customer technology, Tim Woods.
"The biggest problem is administrators don't have visibility into their policies to see where redundant, hidden, shadowed, overly permissive, and outdated rules are, especially if they are running different types of firewalls in their environment."
Solution: third-party firewall management firms - FireMon, Algosec, Tufiin - will obviously promote the benefits of specialized firewall management. The key is automation of change management. It is too expensive to pay people to do thing and security must now develop let machines make some of these decisions.
Will it work come the day?
No matter how good the policies and rules sets, the best test of a firewall is always the ability to cope with day-to-day security that tells organisations how well things are going. A simple example is the way exposed firewalls can be left exposed by DDoS attacks on e-commerce infrastructure. Often, firewalls struggle with DDoS attacks and more advanced mitigation is required. But even if the firewall is being used as a first response mechanism it can be tricky to deploy without causing major headaches later on - will the organisation have a good enough snapshot of the firewall at a given moment in time to go back to it if a rapid re-configuration has to be made under duress? Too often organisations see snapshots as an insurance when applying software patches.
Solution: have an offline backup image for reinstating firewalls that doesn't require admins to go back to scratch or fear making changes in security emergencies.
Logs are imperfect
Being able to make sense of log data is fundamental but often limited by other factors. Firewalls log access and what has traversed the network but does not necessarily reveal the source or put that data into a useful context. It will offer clues - s traffic moving in the right direction from a given server - but not the whole picture. A major security issue is simply checking who has access to the firewall itself because unsuccessful logins are the first symptom of things going awry.
Sign up for CIO Asia eNewsletters.