Asher Benbenisty at AlgoSec examines four common security policy errors, and shows how organizations can avoid them
As security threats become more and more advanced, managing your network’s defences correctly has never been more critical. The effectiveness of firewalls and other security devices depends on the security policies which control how they operate. These policies, which can comprise tens or even hundreds of thousands of firewall rules, dictate what traffic is blocked, what is allowed, and where it’s allowed to go to enable security, ensure compliance and drive business productivity.
It’s increasingly challenging to maintain these policies, so that the needs of the business are optimally balanced with the need to limit risk and be as secure as possible. In most organisations, business applications are being introduced or changed rapidly, to support more users or new functionality. Organizations are also moving to virtualised and cloud infrastructures, which introduce new security controls and connectivity flows that must be managed if business applications are to remain secure and compliant at all times. As such, it’s no surprise that Gartner estimates 99% of firewall breaches are the result of simple misconfigurations.
So what are the most common and harmful misconfigurations that can creep into firewall rulesets and security policies? Let’s take a look at some of the most prevalent, and what can be done to avoid them.
Catching undefined policy configurations
To address this exposure, organizations should use the principle of least privilege as the default for firewall policies, then adjust them as required. Enterprises should ideally map out the flows that their applications actually requirebeforethey grant access. Providing the minimum level of privilege that a user or service needs in order to function normally limits the potential damage that can be caused by a breach. Even after implementation, firewall policies should be regularly reviewed and updated according to application usage trends and the connectivity required.
Losing it in translation
Most organizations now have mixed security infrastructures incorporating both traditional and next-generation firewalls from a range of different vendors. Managing such a mix is a challenge because each generation of firewalls and each vendor’s products use different syntax and semantics for creating security policies.
As such, errors often occur when security teams try to migrate their existing firewall policies to new devices with the potential to cause application outages. Any mistake or ‘translation error’ between products when writing those policies, or when making network changes, can cause crucial traffic to be blocked or unwanted traffic to be allowed. Neither state is acceptable.
To address these errors while effectively optimizing and managing security across all devices, organizations should deploy a solution with a single management console and a single set of commands. The console should provide centralized visibility and control of ALL network security devices regardless of vendor. This will enable security teams to translate between the different syntaxes and phrases that each type of security control – whether on premise or in the cloud – uses to build rules and policies, so that the security estate shares one common language with the business.
Addressing poor optimization
Most firewalls apply rules in the order that they are listed within the firewall configuration software or rule base. The firewall will start at the top of the list and traverse it line by line until it reaches the rule that would require it to block the traffic in question. If no rules apply, the traffic will be allowed to pass through.
However, while this approach is straightforward, it doesn’t optimize the performance of the device or of the applications that rely on the firewall’s rule base to allow their traffic flows. The same rules in a more efficient order can radically improve the performance of the firewall and the applications that rely on it. For instance, placing rules that are required more often higher in the order than rules that are invoked less often will speed up overall performance.
So it’s critical that organizations ensure that new rules are optimally designed and implemented while consolidating and reordering existing rules for optimal performance. Organizations should also look to directly associate network security with critical business applications and processes to provide risk-based, business-context aware visibility and intelligence. This will enable enterprises to strategically prioritize and focus security management actions on critical processes that drive the business.
Stopping unnecessary services
Another common firewall configuration mistake is leaving obsolete services running on the firewall. Two examples include dynamic routing, which, as best practice, should not be enabled on security devices, and DHCP servers that distribute IPs, generating IP conflicts that lead to availability problems.
To avoid these problems, organizations should harden devices and ensure that configurations are compliant before devices are deployed and on a continuous basis thereafter. Such measures help to ensure that devices are configured to perform the functions they were intended to fulfil, improving security and reducing the chances of accidentally leaving a risky service running on the firewall.
Against a backdrop of a rapidly evolving threat landscape, organizations cannot afford to be their own worst enemies by introducing misconfigurations and policy errors that can lead to security holes. Using a security policy management solution that intelligently automates firewall rule and policy management, quickly improves the overall security posture – and dramatically cuts the risk of a breach.