lolloj - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Report: Firewall policy management is a hot mess

A new report from FireMon finds that firewalls are still a critical security component, but firewall policy management is a major pain point for admins.

IT professionals still see firewalls as a critical component of network security, but are having trouble keeping up with labor-intensive firewall policy management.

Those were the key findings in the newly released State of the Firewall report from Overland Park, Kan.-based security management firm FireMon LLC.

FireMon surveyed more than 700 IT security practitioners in October 2014, and found that despite changes in both firewall and network technology, firewalls are seen as a critical piece of the enterprise network security puzzle: Ninety six percent of respondents said that a network firewall is just as critical as, or more critical than, ever before.

FireMon CEO Jody Brazil thinks that number might actually be higher. He suggested that some respondents said firewalls weren't important simply because the firewall was invisible to his or her job.

"If you manage an Amazon cloud server," said Brazil, "you may not notice, but you're still using an embedded firewall. Or, if your job is Web application security, a firewall has limited control there, but without one, you have to worry about the management servers on that box aside from applications."

Additionally, IT professionals believe the importance of firewalls is unlikely to diminish; 92% of respondents said firewalls would remain as critical or become more critical in the next five years, and indicated that is due in part to how the technology is evolving with next-generation firewalls (NGFW).

According to FireMon, 66% of respondents said NGFW made up less than half of their total network infrastructure, including 12% who did not have any NGFW products deployed. A majority of respondents saw value in NGFW to provide intrusion prevention, application awareness and threat data integration.

Respondents displayed more limited trust that firewalls would continue to evolve to meet security needs as more organiations adopt software-defined networking (SDN) or cloud computing technology. More than three-quarters of respondents said they used virtualization platforms like VMware or OpenStack either "somewhat heavily" or "very heavily," and the vast majority (87%) saw value in having a firewall in those network environments right now.

However, only 43% said firewalls will adapt and continue to play an important role in SDN, while 40% said firewalls would have limited to no impact; 14% expected a new technology to replace firewalls in the cloud or on virtual networks.  

Policy management pain

When asked what firewall challenge was viewed as most problematic, 52% of respondents said firewall rules/policy were too complex, while 12% said firewall policy changes, and 11% rated firewall policy compliance as the biggest issue. Optimizing rule sets was the most common answer to challenges with NGFW, as well.

FireMon found that even when choosing a new firewall, respondents were highly concerned with ease of management. A new firewall's manageability was rated as an important factor by 63%. Third-party integration capabilities were also seen as important, and Brazil attributed that to the widespread desire among FireMon customers to ease firewall operations management.

Brazil said that APIs and third-party integration can make it easier to manage a firewall, but policy management is a consistently difficult pain point for enterprises to overcome.

"Firewall policy and rule management is big, complex and hard to understand," Brazil said. "PCI is demanding that rules be evaluated twice a year. If you're a bank with millions of rules, recertifying those is a daunting task."

Brazil said the problem doesn't arise from when rules are first made. He said this is often done well because administrators are focused on meeting regulations. The trouble, Brazil said, is in the review process for firewall rules.

"Business calls are always someone asking to have the firewall opened up with a new rule," said Brazil, "but no one ever calls to say they don't need a rule anymore."

According to Brazil, this kind of firewall rule sprawl ends up becoming a vicious cycle. He said that in large companies, 35% to 40% of rules are often unnecessary or outdated, and more than two-thirds of policies are unnecessary.

Brazil said that clearing up this bloat is a lot of work, but it will ultimately be a time- and money-saver in reviewing and recertifying rules every six months for PCI compliance. Unfortunately, he also noted that firewall administrators are often disincentivized from removing unnecessary rules and policies.

"If you're a firewall admin, you can have a policy that is open and leads to a breach, and still not get fired," Brazil said. "But, if you're proactive and accidentally delete a rule that takes down a critical system, you will get fired."

Next Steps

Learn more about how to effectively test your firewall.

Dig Deeper on Network device security: Appliances, firewalls and switches