Imagine bearing down on a busy intersection. A traffic cop is furiously waving you on, but as you approach, you notice he's also waving on traffic from the cross street with his other hand. In the ever-changing business environment, this is what security managers face every day: increasingly complex and dynamic enterprise networks, where the left hand doesn't know what the right hand is doing.
Administering additional access control devices and maintaining consistent firewall rules throughout this evolving labyrinth can be a nightmare. Layered controls, multiple network entry points and tools that trigger automated changes conspire to produce conflicts and holes in your rule sets, which can impede and shut down legitimate business traffic and expose your enterprise to attack.
But, if you understand how access control rule sets get confused and follow industry best practices to maintain consistency, you can keep your network traffic flowing smoothly.
Well-designed ordering of rules among tiered devices is critical. Adding or modifying rules requires careful analysis and controlled change processes to avoid conflicts (see "Firewall Rule Conflicts," right). For example, if an upstream device blocks traffic or closes a port that a downstream device allows, the latter rule will never be activated, making it superfluous at best. There are endless permutations of these types of conflicts, which can disrupt your business and leave undetected gaps in your defenses.
Promulgating rules must be a formal process: Your organization must create a configuration control board to review and approve modifications to rule sets, the insertion and removal of security devices and any other network changes that affect access control. This is particularly important when new applications are being introduced. The board should include voting representatives of key stakeholders: the business owner, the data owner, the data center manager and the security manager.
Despite your best efforts, rule sets will degrade over time. At least quarterly, devices should be tested for integrity, configuration errors and firewall rule set consistency.
The most accurate--albeit the most tedious and resource-intensive--testing is to compare hard copies of the current rule sets to those set out by the policy and look for discrepancies. By also running a vulnerability assessment scan against the firewall, you should find most rule discrepancies.
Multiple Entry Points
Networks have evolved from a single point of Internet entry to a porous conglomerate of external connectivity. The most important step in managing multiple firewalls is the initial build and configuration: Each firewall must be fully documented to provide a baseline description against which subsequent changes can be tracked.
Also, each firewall must provide the least amount of access required for business functions. For example, an external supplier's entry point should be restricted to the resources necessary for the transaction, such as specific Web sites and databases.
NAT and VPNs further complicate the management of multiple firewalls. When they coexist on the same device, NAT and VPN rules must be compatible with firewall rules.
Case in point: The firewall closest to your private network usually contains the NAT rules. However, if you want all of the tiered firewalls to differentiate between users, the outermost Internet-facing firewall needs to have NAT functionality, which could add complexity to setting up the networks between the firewalls.
