Don’t go once more unto the breach: fix those policy configuration mistakes

null

As security threats become more and more advanced, managing your network’s defences correctly has never been more critical.  The effectiveness of firewalls and other security devices depends on the security policies which control how they operate.  These policies, which can comprise tens or even hundreds of thousands of firewall rules, dictate what traffic is blocked, what is allowed, and where it’s allowed to go to enable security, ensure compliance and drive business productivity. 

It’s increasingly challenging to maintain these policies, so that the needs of the business are optimally balanced with the need to limit risk and be as secure as possible.  In most organisations, business applications are being introduced or changed rapidly, to support more users or new functionality.  Organisations are also moving to virtualised and cloud infrastructures, which introduce new security controls and connectivity flows that must be managed if business applications are to remain secure and compliant at all times.  As such, it’s no surprise that Gartner estimates 99 per cent of firewall breaches are the result of simple misconfigurations. 

So what are the most common and harmful misconfigurations that can creep into firewall rulesets and security policies? Let’s take a look at some of the most prevalent issues, and what can be done to avoid them.

Catching undefined policy configurations

All too frequently, firewalls are configured with undefined policies to allow traffic from any source to any destination. This happens because, at application deployment time, IT teams are unsure of their precise requirements, so they opt to start with broad rules that can be fine-tuned later as required. That’s fine in theory, but in practice those updates are rarely performed.  After all, the application is working as it should, so the temptation is to leave well enough alone and focus on more urgent issues. However, having undefined firewall policies leaves the network in a perpetually exposed state.

To address this exposure, organisations should use the principle of least privilege as the default for firewall policies, then adjust them as required. Enterprises should ideally map out the flows that their applications actually require before they grant access. Providing the minimum level of privilege that a user or service needs in order to function normally limits the potential damage that can be caused by a breach. Even after implementation, firewall policies should be regularly reviewed and updated according to application usage trends and the connectivity required.

Losing it in translation

Most organisations now have mixed security infrastructures incorporating both traditional and next-generation firewalls from a range of different vendors. Managing such a mix is a challenge because each generation of firewalls and each vendor’s products use different syntax and semantics for creating security policies.

As such, errors often occur when security teams try to migrate their existing firewall policies to new devices with the potential to cause application outages. Any mistake or ‘translation error’ between products when writing those policies, or when making network changes, can cause crucial traffic to be blocked or unwanted traffic to be allowed. Neither state is acceptable. 

To address these errors while effectively optimising and managing security across all devices, organisations should deploy a solution with a single management console and a single set of commands. The console should provide centralised visibility and control of ALL network security devices regardless of vendor. This will enable security teams to translate between the different syntaxes and phrases that each type of security control – whether on premise or in the cloud – uses to build rules and policies, so that the security estate shares one common language with the business.

Addressing poor optimisation

Most firewalls apply rules in the order that they are listed within the firewall configuration software or rule base. The firewall will start at the top of the list and traverse it line by line until it reaches the rule that would require it to block the traffic in question. If no rules apply, the traffic will be allowed to pass through.

However, while this approach is straightforward, it doesn’t optimise the performance of the device or of the applications that rely on the firewall’s rule base to allow their traffic flows. The same rules in a more efficient order can radically improve the performance of the firewall and the applications that rely on it.  For instance, placing rules that are required more often higher in the order than rules that are invoked less often will speed up overall performance.

So it’s critical that organisations ensure that new rules are optimally designed and implemented while consolidating and reordering existing rules for optimal performance. Organisations should also look to directly associate network security with critical business applications and processes to provide risk-based, business-context aware visibility and intelligence. This will enable enterprises to strategically prioritise and focus security management actions on critical processes that drive the business.

Stopping unnecessary services

Another common firewall configuration mistake is leaving obsolete services running on the firewall. Two examples include dynamic routing, which, as best practice, should not be enabled on security devices, and DHCP servers that distribute IPs, generating IP conflicts that lead to availability problems.

To avoid these problems, organisations should harden devices and ensure that configurations are compliant before devices are deployed and on a continuous basis thereafter. Such measures help to ensure that devices are configured to perform the functions they were intended to fulfil, improving security and reducing the chances of accidentally leaving a risky service running on the firewall.

Against a backdrop of a rapidly evolving threat landscape, organisations cannot afford to be their own worst enemies by introducing misconfigurations and policy errors that can lead to security holes. Using a security policy management solution that intelligently automates and orchestrates firewall rule and policy management across all security devices – whether in the cloud, in SDN environments or on-premise – quickly improves the organisation’s overall security posture, and dramatically cuts the risk of a self-induced breach.

Asher Benbenisty, director of product marketing, Algosec
Image Credit: Balefire / Shutterstock