Avoid Common Mistakes when Upgrading Firewalls

Author
John Cavanaugh
Vice President, Chief Technology Officer

Firewalls are a necessary part of any enterprise security plan.  Auditors frequently deliver findings and recommendations with regards to perimeter security, and this often seems to involve expensive investments and upgrades.

While perimeter security is only one facet of an overall enterprise security plan and improving a firm’s overall security posture means taking a holistic approach, most plans start at the boundary between the enterprise and the Internet. As a result, there is an intense focus on firewalls, intrusion prevention systems (IPSs) and intrusion detection systems (IDSs).

Upgrading your firewalls and using next generation firewall (NGFW) technology offers an enterprise many security enhancing features. Gartner® defines NGFWs as “deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.”  NGFWs will often also provide significant integration between the IPS, IDS and firewall functions.

However, upgrading your firewalls may not be enough to improve your security.

Upgrades Don’t Always Equal Increased Security

Most applications are poorly documented, and their use of network resources is often misunderstood.  The U.S. National Security Agency (NSA) recommends whitelisting applications, and this means understanding all the network flows involved with the application’s behavior.  In the near past this was accomplished by defining the Layer 3 (IP Address) and Layer 4 (Port) behavior required for an application to function. Unfortunately, many current attack vectors use approved IP address and port numbers (mimicking common approved protocols such as DNS and Web protocols to exfiltrate data).  Closing this security hole means moving from IP address and port number system to a true Layer 7 (Application layer) whitelist.

NetCraftsmen is often brought in to provide remediation services associated with audit findings (from both internal and external audits).  The most common mistake we encounter is that clients upgraded their firewalls but didn’t invest the time required to improve access list rules to this higher standard.

Most applications’ documentation is such that security and IT teams have insufficient information to lock down and whitelist them. In addition, firewall access lists (ACLs) are most often run by the network team and these folks have little to no understanding (or control) over application flows.  (See Pete Welcher’s blogs on Do you know your flows? and Who Owns Security ACLs? for more detail.)

In cases like this, the firewall upgrade process then becomes nothing more than a transfer of the existing IP address/port number rules from the legacy firewalls to the new NGFWs. Relatively few, if any, features of the new firewalls are deployed. The result is that upgrading firewalls often is little more than a checkmark task resulting from an audit.

Do it Right – It’s Not Just a Network Team Assignment

One of our clients wanted to address this issue head on, but all the work was assigned to the network team.  The result was a burden on the team which significantly lengthened the implementation period.  The networking team used a combination of VMware NSX, Illumio and NetFlow data from Cisco Secure Network Analytics (formerly StealthWatch) to monitor applications and document their flows. This was a time-consuming task and involved working with vendors and application support teams to confirm findings.

The results were excellent, but the full process took almost 3 years.

To accelerate the realization of the security promised by newer technologies means taking an ‘All of Enterprise’ approach and having your application and data experts working with the network team and application vendors to establish the required controls and document their application flows.  This information is needed for whitelist behavior and provides a positive security control for any application.

If this step were performed when applications are onboarded, and old rulesets were reviewed and purged as a standard part of technology upgrades, the security systems could provide much better protection and achieve their full potential.

Conclusion

Responding to audit and risk issues by buying new systems without proper analysis may not achieve anything more than checking a box.  Moreover, buying an NGFW or any advanced security system is separate from achieving the capability promised by such technology.

NetCraftsmen is ready to help your teams to understand the investments needed to look at the security issues holistically.