Firewalls are both simple and complex. They’re simple in the sense that they have one function: To permit or deny traffic in and out of an organization. They’re complex in that the configuration process isn’t as easy as it may seem, and companies may unknowingly set themselves up for vulnerabilities via improper firewall usage.
I spoke with Matt Glenn, vice president of product management at Illumio, a cloud computing security organization, to get some industry insights.
Scott Matteson: How are organizations misusing their firewalls?
Matt Glenn: In much the same way that it is hard to fasten a Phillips-head screw with a hammer, it turns out that firewalls are not always the best tool for every job. Firewalls were built to protect the perimeter. Put another way, they separate a trusted internal network or cloud from the untrusted outside. However, they were not designed for efficient internal data center or cloud segmentation, despite being called on frequently to do that job.
According to recent findings from Illumio, 86% of respondents were using firewalls to do internal network segmentation–not perimeter defense. This means that over three-fourths of organizations are calling on firewalls to do something they were not originally intended to do. In that sense, they are being misused.
Scott Matteson: What can be done to remedy this?
Matt Glenn: The first thing organizations need to do is recognize that firewalls can, indeed, help with many security challenges, but they should not be used to solve everything. They were designed to protect the perimeter and keep threats out, but in many cases have also been tasked with segmentation. Recognizing what your firewall can and should be used for, and implementing alternative solutions to fill the gaps, is your first step toward finding a remedy.
SEE: Security Response Policy (TechRepublic Premium)
Scott Matteson: What are some of the security risks and threats associated with improper firewall management?
Matt Glenn: There are two common issues:
Organizations think their firewall is protecting them, but they have written overly permissive rules. This gives the advantage to an attacker who has more surface area to deal with. I have seen organizations put a firewall between two zones, but will permit nearly anything–this satisfied an auditor that a zone was firewalled off, but it does not protect against anything. What’s more, as firewall rules grow, there is a higher probability that they will have a misconfiguration that will leave them exposed.
The “provision and pray” problem is when an organization provisions a firewall rule and then they get a call that the rule broke something. This speaks directly to the complexity of managing complex rules, especially in an increasingly agile world.
Scott Matteson: Where are the current pain points with firewall management?
Matt Glenn: According to Illumio’s recent survey, the size and complexity of firewalls tend to be two of the largest problems for organizations when it comes to firewall management. When you think about the number of firewall rules per device and multiply that with the many firewalls an organization deploys, it’s an intricate web that is complex and hard to manage.
Illumio’s report also found that the average time for respondents to deploy and tune firewalls for segmentation was one to three months. What’s more, more than two-thirds of respondents acknowledged that firewalls make it hard to test rules prior to deploying, making it easier to accidently mis-configure rules and break applications.
SEE: Launching a career in cybersecurity: An insider’s guide (free PDF) (TechRepublic)
Scott Matteson: Can you offer up some advice or solutions on how to alleviate those issues?
Matt Glenn: The classic way that organizations think they will solve this problem, but fail, is to purchase a firewall management tool. Organizations that have changed from one to another and then to a third because of the pain of managing these solutions (in addition to the firewall) know that these products help with compliance, but don’t really make life easier.
A better solution is to get the “firewall” out of the way for East-West traffic. This is the route that SDN (software-defined networking) and host-based segmentation advocate for and how organizations are increasingly moving. The firewall is then used for what the firewall was intended: Perimeter defense.
Scott Matteson: What are the ideal configurations and implementations?
Matt Glenn: There is a misconception that implementing a segmentation solution is hard, but it doesn’t have to be. This misconception is because people think about rearchitecting the network when they think segmentation. It doesn’t have to be. If network segmentation (for broadcast domains) is decoupled from security segmentation (for isolation), then configuration is actually simple. It starts with visibility to create security policies without breaking the network. Ideally, the best segmentation solutions are host-based and not based on legacy systems. This enables a more cost-effective and reliable approach.
Scott Matteson: Can you provide more details regarding segmentation solutions, like subjective examples, real-world usage, etc.?
Matt Glenn: There are really three approaches to how enterprises are trying to solve the problem (and vendors, too).
The Classic: This is using classic VLANs/zones coupled with firewalls. The biggest issue with this is that to insert a new firewall (to create compartments), an organization usually has to re-IP or re-VLAN their application. This is highly disruptive to a production network.
SDN: SDN requires an organization to upgrade infrastructure, though many organizations already have the right pieces. The problem is deriving what the right groupings are of workloads, meaning, which hosts belong in what VLANs. Organizations that have purchased Cisco’s ACI (application-centric infrastructure), which provides SDN, but have the infrastructure in network-centric mode (which is the vast majority of these deployments) are an example of the struggle of SDN. Organizations that have NSX for automation, but struggle to get to enforcement, are another example. Another challenge with SDN is that your physical network does not extend to the public cloud.
Host-Based: This approach uses the stateful firewalls that are already in the host to enforce security segmentation. Interestingly, the SDN and firewall vendors are now introducing products that are host-based.
Scott Matteson: What are some other network management strategies and solutions that can help here?
Matt Glenn: The network management strategy that can help is simply to get the network out of the way.
Consider this. We have architected networks–for years–for reliable packet delivery and self-healing. Entire working groups in the IEEE and IETF were created to make resilient networks. Spanning Tree was created to ensure that there are no loops in a network. If the layer-2 topology of a network changes, Spanning Tree recomputes, and packets reliably flow. Thank you, Radia Perlman!
For layer-3 networks, we use protocols like OSPF and BGP to ensure that if a layer-3 network breaks,or a new network is created, that packets reliably flow.
Segmentation by its very nature is about reliably isolating things. When we couple segmentation (isolation) with reliable packet delivery (networking) we reliably break things. Anyone who has provisioned an ACL and then got a phone call that it broke something knows about this pain.
By unburdening the network from enforcing segmentation, the network can be reliable and agile (and not break because of segmentation).
SEE: IT pros admit to frustration with firewalls (TechRepublic)
Scott Matteson: How should IT staff be trained on what’s missing?
Matt Glenn: Segmentation as a practice is foundational to security frameworks like Zero Trust, which is a belief that defending the perimeter alone is no longer an effective strategy. Zero Trust implements methods to localize and isolate threats through techniques like micro-segmentation, and deep visibility to give organizations and IT teams a more organized approach limiting the impact of any breach. The more IT teams can accept this mentality, the better they can understand the benefits of new approaches to segmentation.
SEE: Why many security pros lack confidence in their implementation of Zero Trust (TechRepublic)
Scott Matteson: How will firewall usage and management evolve down the line?
Matt Glenn: Our hope is that users will realize that firewalls are great for their intended purpose: Securing the perimeter. But they tend to lose effectiveness when deployed across data centers and clouds for segmentation. Segmentation solutions and firewalls were designed to be complementary resources, not competitors. As organizations better understand their firewalls, they can also better understand the resources they have at their disposal to fill in the gaps, i.e. segmentation, to keep their data centers and clouds secure.