Firewalls are considered a mature technology by most organizations and typically are given minimal thought by security...
professionals. When it comes to an audit or assessments, a simple check of a box indicating there is a firewall protecting the network is typically all that is done.
However, there is a trend I have been noticing lately: Firewalls are not providing all the protection they can because they are not being updated or properly maintained. I am not saying that firewalls alone will stop all attacks -- they won't. However, I do believe they can be a lot more effective than they are currently.
When considering maintenance and testing and examining firewall failure, organizations should ask the following questions:
- When was the last time the firewall ruleset was fully verified?
- When was the firewall ruleset updated?
- When was the last time the firewall was fully tested?
- When was the last time the firewall ruleset was optimized?
For most organizations, it is highly likely the firewall was deployed several years ago, with minimal enhancements made to it over the years. That was the case for many of my clients, and what lead the almighty firewall to be the topic for this article.
Firewall design and configuration
Two important things to remember with a firewall are it must be designed and configured correctly. When it comes to design, the golden rule is, "all connections must go through the firewall." The question is, what percent of the traffic goes through the firewall?
Some might say 100% of network traffic must pass through the firewall, but consider that encrypted links, wireless network traffic, modems and extranet connections are all items that typically bypass the firewall. Many organizations say 100%, but in reality it is most likely a lot lower. Since networks have become more porous, many firewalls today are seeing less than 60% of traffic, which greatly reduces the effectiveness. Remember that a firewall cannot protect what it cannot see.
From a configuration perspective, a firewall is only as a good as the ruleset. In many cases the ruleset was created by putting a technical person in front of the console to configure it. Rarely is there a firewall policy or requirements document that drives the creation of the ruleset. And if there is no documentation, there is no way to verify that it is correct.
The other fundamental problem is that proper firewall testing is rarely, if ever, performed. After a ruleset is created or updated, an organization will test and make sure everything is working properly through the firewall. While it is important to test the positive, the problem is everything could be working and things that should be blocked are allowed through. Therefore, utilizing the requirements document, an organization must also test the negative. This will ensure everything that should be blocked is properly blocked.
Measuring firewall effectiveness to prevent failure
The final test is to measure the overall effectiveness of the firewall. The only way to know the effectiveness of a firewall is to look at the number of dropped packets. Ultimately, the point and reason for having a firewall is for it to block and stop traffic that should not be allowed. Based on that assessment, organizations need to answer a simple two-part question: "How many dropped packets does the firewall have every day, and if there is an anomaly, would the firewall be able to detect it?"
My organization had one client that was so proud of its firewall because it had 237 unique rules in its firewall. The problem was when we examined the number of dropped packets, it was 0. This meant that the 237 rules where equivalent to "ANY ANY ANY ANY -- ALLOW." The client's firewall was little more than an expensive pass-through device. By checking the number of dropped packets, an organization will better understand whether the device is allowing too much through, ultimately hindering the effectiveness of the firewall.
Ultimately, the success of the firewall is based on how many packets it drops. A key to measuring firewall effectiveness is tracking the number of dropped packets to make sure it is aligned with the type of business the organization is in, while also looking for changes. Every organization is different, but on average, there should be several thousand dropped packets or more each day. Some organizations might have several thousand every hour, but if an organization only has a hundred dropped packets a day, then it is either plugged into a safe part on the Internet (not likely), or the firewall ruleset is not configured correctly. It is also critical to check the number of dropped packets after a change is made to the ruleset to make sure the organization understands the impact that rule had on its security.
In summary, firewalls are present in most organizations, but they have probably deteriorated over time and are not as effective as they should be. Verifying the percent of traffic that goes through the firewall and examining the number of dropped packets can help increase the over value of the firewall.
Find out about the basics of next-generation firewalls in the enterprise
Learn about the differences between unified threat management (UTM) products and next-generation firewalls (NGFW)