The secrets of proper firewall maintenance and security testing techniques
The Verizon 2015 PCI Compliance Report cited a lack of firewall maintenance and security testing as major causes for compliances breaches. Expert Kevin Beaver offers tips to successfully manage these tasks.
When it comes to firewalls and compliance, the Verizon 2015 PCI Compliance Report is very telling. It reveals a lack of firewall maintenance and security testing are two of the major issues that cause businesses to not only fail PCI DSS compliance, but also suffer data breaches.
According to the report, a mere 27% of organizations that experienced a data breach in 2014 met PCI DSS's firewall maintenance requirements.
While I don't agree with the report where it says a firewall is an organization's first line of defense, since it likely doesn't address the enterprise's mobile workforce, firewalls are no doubt a critical component of security and compliance, especially in terms of network segmentation and PCI scope reduction. Regardless of how "old school" perimeter security controls may seem, they are necessary enterprise controls.
Despite this well-known fact, there are gaps in the ways enterprises perform firewall maintenance in testing. In this tip, I will discuss these gaps and how to address them.
The firewall management problem
Whether you're responsible for overall information security for a small or medium-sized organization or you work on a dedicated firewall team at a large enterprise, the underlying challenges associated with firewall administration, maintenance and testing are very similar.
A major issue is time -- or lack of time management. Some of it is budget related. Then there's the issue of "shadow IT" -- where employees are calling the shots and making changes.
Security testing must go beyond a firewall rule base analysis or mere audit.
There's also shelfware, where good tools are purchased but not implemented or implemented incorrectly. As the Verizon report said, "We have seen instances of organizations having a next-generation firewall but not using its application-aware functionality, thereby exposing their network to threats exploiting social media applications and port-hopping attacks." I see this phenomenon in my work quite often.
Solving the problem
Given the aforementioned challenges and complexities, how does one get their arms around their enterprise firewalls and effectively manage its rule bases and continually seek out the weaknesses?
Several other must-haves for improving firewall management, handling changes and minimizing risks include:
Management has to be on board with security and have a clear picture of where things currently stand and the challenges their organization is up against. No buy-in, no support -- it's that simple.
Communication must be improved among all key teams including the firewall team, security team, IT operations and the helpdesk. I've seen countless IT departments where no one is communicating internally within the department as well as with outside business units. When communication breaks down, all bets are off.
True business continuity and incident response procedures must be in place in the event of an outage or breach. Otherwise, a company will be winging it at the most inopportune time.
Reasonable standards should exist across a firewall environment. I see many networks that have one of each vendor's firewalls. While some vendors' products work better than others for certain things, and even though an organization might need a next-generation firewall for just one area of the network, it would help simplify things if the enterprise is running the same or similar systems across the board.
Security testing techniques must go beyond a firewall rule base analysis or mere audit. This includes running vulnerability scanners (network and Web) and any other tools such as Metasploit and even a network analyzer required to poke and prod to uncover firewall vulnerabilities. Odds are good that organizations will find issues such as weak passwords, outdated protocols such as SSL and SSH version 1, and cross-site scripting if they look deeply enough.
Measure what needs measuring such as security testing and vulnerabilities discovered, risky firewall rules, outdated rules that have been purged and the like. This testing should be done periodically and consistently, i.e., every quarter or bi-annually, or after any major system changes. Some enterprises use tools, such as AlgoSec Firewall Analyzer, to do this in near real time. Once an organization establishes its testing processes, this is something that can be completed in mere minutes. When an organization measures its progress in areas such as these, it'll hold itself to a higher standard and see to it that it stays on top of firewall oversight.
As the personnel responsible for firewall resiliency, security pros must strike a balance between security and reality.
Enterprises can go on to implement ITIL or other formal change management processes if necessary; many have. However, it is important to note that if people don't follow procedures, then they're merely for show. Let me give you an example: I once worked on a project for a large e-commerce business. One day, rather than following the established change management process, members of the firewall team made some out-of-band (and untested) changes to their core firewall. Unfortunately, during this process, the firewall rule base became corrupted and all communication between its e-commerce application and the Internet stopped. This core application was down and ended up costing the business a quantifiable six-figure dollar amount in mere hours.
As the personnel responsible for firewall resiliency, security pros must strike a balance between security and reality. Never let auditor or compliance-induced red tape get in the way of work. If an enterprise puts some thought into its approach, uses the right tools and makes the procedures work in its environment based on its needs, firewall maintenance and management can be properly done.
In the end, it is important to ask: when it comes to firewall management and compliance oversights, do we have a technical problem or a people problem? More government and industry regulations or a new approach to fix these challenges won't fix the problem, but discipline can: Discipline to understand where the risks are; Discipline to get -- and keep -- management on board with security initiatives; Discipline to do what needs to be done, and then do it over and over again to the best of our abilities.
Jim Rohn once said, "Success is easy, but so is neglect." Firewall maintenance and management problems don't just rear their ugly heads all of a sudden; it takes time making a series of bad decisions -- or no decisions at all, like when management refuses to fund the necessary tools and training or when IT professionals make no effort to communicate better with management. When critical systems such as firewalls -- and their increasingly complex rule bases -- are neglected, that's when bad things happen and the organization's true view of security comes to light.
About the author: Kevin Beaver is an information security consultant, writer, professional speaker and expert witness with Atlanta-based Principle Logic LLC. With over 26 years of experience in the industry, Kevin specializes in performing independent security vulnerability assessments and penetration tests of network systems, as well as Web and mobile applications. He has authored/co-authored 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website and follow him on Twitter at @kevinbeaver.
