A recent NSS Labs report indicated that a next-generation firewall (NGFW) often will have poor management capabilities. When they evaluate vendors, what should organizations look for in terms of NGFW management options?
Ask the expert
Have a question about network security for expert Brad Casey? Send it via email today! (All questions are anonymous.)
When managing any device, the primary concern is balancing ease of access for administrators with difficulty of access for everyone else. When an organization researches management options for NGFWs, it's critical that it first determine whether administrators will be allowed to access the management interface from outside the network perimeter. There is no right or wrong answer: It's up to each organization to decide if it is willing to accept the associated risks in allowing remote firewall administration.
If your organization does decide to allow administrators to access the management interface externally, you must make the following three additional management determinations:
- Does the next-generation firewall have a built-in Web server for management purposes? If so, is access to the Web server encrypted? Many administrators prefer the convenience of a graphical user interface, and this may be the route to take if it has been determined that the connection to the GUI is made over the SSL.
- Does the administrator absolutely have to access the Web server? It may be a better option to have administrators access the interface via the command line. This way, you don't have to worry about security holes in the Web server configuration; you simply pull up a shell and get to work.
- Is the out-of-the-box configuration of the management interface good enough, or is additional configuration needed? Many times this is overlooked by system administrators and often leads to security breaches. For example, security personnel must determine whether encryption has been turned on by default or some box needs to be checked in order to activate it. You'd be surprised at how often default configurations are ignored, and you'd be equally surprised to find out how often this leads to disastrous hacks that easily could have been prevented if a little more time had been spent going over default configurations.
As it specifically relates to NGFW application management, however, I would suggest someone from your organization delve into the robustness of the various application signatures written by each vendor. This may take a high level of sophistication, and therefore is easier said than done. In the absence of an application signature analyst, I would recommend throwing different kinds of traffic against your firewall and using a packet capture tool (such as Wireshark) to verify that the firewall is indeed blocking what it is supposed to be blocking.
This was first published in October 2013