Firewalls are one of the core tools that organizations use to segment and protect critical and sensitive devices, data, networks, and other business assets. But firewalls can definitely be troublesome. Hardware firewalls can be pricey. Implementation and deployment can be complicated. And making changes to firewall rules can be tricky and time-consuming.

Released on Wednesday, a new report from Illiumo illuminates how IT professionals deal with firewalls and reveals some of the challenges they face.

SEE: Hardware decommissioning policy (TechRepublic Premium)

In an Illumio survey of more than 300 IT pros, 86% said they still use firewalls to segment their applications. Among the respondents, 66% said that the task of managing firewalls was extremely, very, or fairly challenging. Another 26% saw it as somewhat challenging. Only 8% didn’t consider it a challenge.

Obstacles involved in firewall management

Ranking the obstacles involved in firewall management, 67% of those surveyed pointed to the initial deployment and tuning measures, 67% cited the process of implementing changes, and 61% referred to the procedure for verifying changes.

Cost is another hurdle with firewalls. Depending on the size of the organization and the type of firewall, a single unit can cost anywhere from hundreds to thousands to tens of thousands of dollars and up. Some 68% of the respondents said they have a hard time receiving the necessary initial budget to purchase firewalls, while 66% bump into difficulty getting the funding to operate and maintain them.

Tweaking the rules on a firewall is yet another taxing task. Changes to code, applications, and processes can occur fast and furiously, requiring frequent updates to firewall rules. But a single firewall update can take one to two weeks, according to the survey. And such changes can sometimes be trial and error. More than two-thirds of the respondents cited the difficulty of testing changes to firewall rules before deploying them. The lack of a proper testing platform can lead to misconfigured rules that break applications.

Deploying and configuring firewalls

Deploying and configuring firewalls is another challenge. Large data center firewalls are usually dropped off at a loading dock and then require racking and stacking. During the tuning phase, hundreds or thousands of policy rules and the proper network segments must be established. A change control process must also be implemented. Among the respondents, 37% said that the initial deployment and tuning of their firewalls typically takes one to three months, 17% said it takes three to six months, and 7% six to nine months. Just 34% are able to perform this task in less than a month.

Juggling all the necessary firewall rules is one more contest. Some 62% of the respondents said they have more than 1,000 rules on each firewall used to segment their network. Large organizations with multiple sites, and multiple firewalls can have hundreds of thousands of firewall rules. Managing that massive set of rules is especially difficult when many of them have been around for years, and no one wants to tweak them for fear of making a mistake.

Though many respondents find fault with firewalls, 57% are hesitant to stop using them because of the possible risks. Some are concerned about the resistance in their organization to change, some are afraid of the problems that would arise, and others fear the troubleshooting headaches that might pop up by moving away from firewalls.

Despite the resistance, most of those surveyed said they have been evaluating software-defined networking (SDN), a more dynamic way of segmenting a network. Some are thinking of trying SDN for rudimentary segmentation. Almost 30% of the respondents said they are in the process of deploying SDN or have already done so.

Sponsored by Illumio and conducted by Virtual Intelligence Briefing, the survey was conducted in October 2019 and elicited responses from more than 300 IT professionals from mid- to large-sized companies, most with more than 1,000 employees.

Image: scyther5, Getty Images/iStockphoto