Skip to main content

The breached blue firewall: You don't want it in your data centre

The recent U.S. elections served up plenty of drama and even more suspense as the campaign entered its final stretch. Pollsters and forecasters crunched data continuously to accurately predict the paths to victory or defeat for both parties. 

One of the most publicised concepts was the supposed “blue firewall”, a group of states that had consistently voted for the Democratic party in past elections. If the Democrats could hold onto their lead in these states, they’d all but guarantee victory, or so the polling experts predicted…   

We all know now how that ended. The blue firewall created a false sense of security after all. Media pundits asked the prognosticators to answer the burning question: How did this seemingly secure firewall get breached?   

In many ways, the answer to this question reveals the cause of not only the blue firewall breach, but also of a firewall in your organisation: Merely having one in place is not enough to prevent a breach. Firewall, NGFW, and UTM appliances require you to dedicate resources just to maintain the status quo for your environment. 

When your security needs surpass your appliance’s capacity, your IT is often faced with the unenviable decision of switching off network security features to make up for it. And it’s such compromises that could come back and expose your network’s security.  

The firewall appliance: Capacity constraints lead to limited security

As a physical appliance residing in your local branch office, a firewall requires ongoing management, time and budget just to stay effective. It is designed to inspect incoming and outgoing traffic and enforce policies for your corporate network, but it ultimately requires you to devote the time and resources to support and secure your organisation.   

As your business grows, your IT must apply upgrades to add more functional capabilities and support greater bandwidth and throughput. As for security, you need to configure policies and authentication rules and keep tabs on vulnerabilities discovered by your firewall security vendor.   Knowing a vulnerability exists is only half of the patch management battle. You then need to create a patch and deploy it to your firewall appliances in each physical location. This is where resources are often outpaced by the volume of vulnerabilities, leading to delays in distributing patches throughout the network. This leaves critical gaps in security that can be exploited and result in the theft of critical proprietary data.   

One recent example of this is the breach of Cisco’s firewalls, routers, switches. A hacker group, called Shadow Brokers, discovered a previously unknown vulnerability that has been a key tool for the NSA’s hacking team. Not long after exposing this vulnerability (CVE-2016-6415) on the web, it was used to breach Cisco’s firewalls and compromise client data. While Cisco will soon have a patch available for this specific vulnerability, applying it to firewall appliances across distributed enterprises is a resource-intensive process. Meanwhile, the exploit window remains open.   

This is merely one example of many where the capacity constraints associated with managing firewall and UTM appliances become an anchor that weighs on your resources and forces your IT to compromise on security. A 2015 report on data breaches by Verizon found that 99.9 per cent of exploited vulnerabilities were compromised more than a year after the CVE was published. Patching is indeed a gaping hole in many IT organisations.    

The lesson to be learned here is: A firewall that isn’t patched is like having no firewall at all. Let’s digress for a minute and revisit the blue firewall. Data began mounting to show that the Democrats needed to spend more campaign resources to solidify their lead in these “firewall states”. The Republicans targeted the blue firewall by devoting ad money and holding rallies in states like Michigan and Wisconsin to galvanise supporters and increase voter turnout. With their resources focused elsewhere, the Democrats left the firewall states largely undefended for months, failing to nurture their lead, thereby leaving exploit windows open. In the final days, statisticians revealed that the firewall may have been breached and that the race had tightened. 

But by then it was too late to patch up the vulnerabilities, and the blue firewall was breached. 

The way forward: Take patch management off IT’s plate

The question that remains, of course, is “How can the IT organisation improve its security posture to better mitigate against firewall vulnerabilities?” The first step is to become less reliant on multiple point solutions and distributed appliances, which by design fragment patch management processes and tax people and financial resources.   

The ability to centralise the delivery of network security capabilities today can be simplified tremendously by moving these functions to a managed SaaS model. Firewall-as-a-Service (FWaaS) effectively eliminates the need to apply patches altogether; the provider’s security research team ensures a cloud-based NGFW is continuously up-to-date. This not only takes the burden away from IT, but a scalable cloud platform also removes the limits that capacity constraints can impose on enabling security capabilities, making the entire network less vulnerable.    

Furthermore, physical appliances and publicly available firmware can be obtained and reverse-engineered by hackers. By using a FWaaS model, these resources are simply not accessible which greatly mitigates these risks. External, unauthorised attempts to access cloud infrastructure also raise a red flag that can be detected and addressed by the security team.    

In short, the IT organisation no longer needs to be shackled by the lifecycle management constraints of physical appliances and the domino effect this holds for budget and IT resources. One, centralised network security model ensures defences are up-to-date and optimal. And, going forward a cloud-based network security service is not subject to physical limits of appliances, or the human capital needed to keep them up and running.   

In a recent global research initiative, more than 700 networking, security and IT executives were asked to identify their top network and security challenges. Not surprisingly, more than 50 percent of CIO-level respondents said they plan to eliminate hardware appliances from their infrastructure in 2017; it was surprising, however, that 41 per cent of respondents overall identified FWaaS as the most promising infrastructure protection technology. Just as Gartner predicts SD-WAN is primed to replace edge routers, so, too is security as a service becoming understood in new ways to protect the network’s edge. 

Image Credit: Den Rise/Shutterstock
Gur Shatz, co-founder and CTO, Cato Networks

Gur Shatz
Gur Shatz is co-founder and CTO of Cato Networks. Prior to Cato Networks, he was the co-founder and CEO of Incapsula Inc., a Cloud-based web applications security and acceleration company. Before Incapsula, Gur was Director of Product Development, Vice President of Engineering and Vice President of Products at Imperva, a web application security and data security company.