The Firewall Policy Hangover: Alleviating Security Management Migraines provides a brief history of the evolution of firewalls, examines how complexity leads to misconfiguration risk and concludes with a discussion on firewall policy management best practices and real-life lessons learned. Additionally, this presentation shares research from “The State of Network Security 2012” that examines:
• the challenges of managing network security policies
• the impact of changing business requirements
• the benefits and limitations of emerging firewall technology
6. Complexity Increases Misconfiguration Risk
Firewall risk survey
Small is Beautiful
Risk versus complexity
Firewalls are Misconfigured
42%
Source: Firewall Configuration Errors Revisited, Avishai Wool
6
7. Fast & Furious Firewall Changes… Can You Keep Up?
• 20-30% of changes are unneeded
• 5% implemented incorrectly
7
8. An Out-of-Process Change Has Lead to…
More than 50% of respondents said out-of-
band changes cause a system outage
60.0%
50.0%
40.0%
30.0%
20.0%
10.0%
0.0%
Data breach System outage Failing an audit None of the above
Source: State of Network Security, AlgoSec, 2012
8 8
9. New Technologies Add to the Complexity
• Virtualization of the Data Center
• Next-Generation Firewalls
9
11. Better Security… At a Price
76% of respondents said NGFWs increase
burden of managing firewall policies
The added policy We have a
granularity requires centralized-
more info to gather management
for audits solution and/or
process
The additional
controls of NGFWs We have to manage
create additional NGFW policies
policies that must separately from
be managed traditional firewall
policies
Source: State of Network Security, AlgoSec, 2012
11 11
12. NGFW Policy Considerations
Whitelisting Blacklisting
More secure Less overhead & disruption
BUT… BUT…
VS.
More work Less Secure
12
13. NGFW Policy Considerations
Whitelisting Blacklisting
More secure Less overhead & disruption
BUT… Or Both!
VS. BUT…
More work Less Secure
13
14. The AlgoSec Security Management Suite (SMS)
Business Impact
• 60% reduction in change management costs
• 80% reduction in firewall auditing costs
• Improved security posture
• Improved troubleshooting and network availability
• Improved organizational alignment and accountability
14
15. Best Practices
to Alleviate the
Firewall Policy
Management Migraine
16. Complex, Highly Segmented Network Environment
• Network has Evolved Over 20 Years
• Third-party domains
• Business-to-business connections
• More than 1,000 policy enforcement points
• Mergers and Acquisitions
• Aggressive consolidation
• Firewall Estate Growing in Size and Complexity
• Demonstrate firewall rules are still valid and authorized
• Ensure new rules are not allowed unless approved and authorized
• Technology landscape has shift
• Web-everything – lack of consistency
16
17. How Has BT Overcome these Challenges?
• Identified and Prioritized Criteria for Off-the-Shelf, Automated
Firewall Policy Management Solution
• Total Cost of Ownership
• Roadmap of features aligned to technology strategy
• Engagement - Willingness to Partner with BT
• Improved Network Security Visibility and Control
• Track down rogue connectivity or connectivity that was not understood
• Gain an immediate view of high-risk situations
• Reduce cycle-time and error rates
• Improve rule base implementation process
• Simplify audits through automatically generated compliance reports
• ‘Checks and Balances’ to demonstrate control
17
18. Lessons Learned and Recommendations
• Gain Control - complexity leads to weakness and cost
• Stale Process drives poor behavior
• Consider the culture of the company
• Easy to grow the rule base – much harder to shrink it
• Human error is a significant risk and cost
• Risk and compliance reporting to focus attention
• Leverage value from the toolset
• Utilize automation and control to improve security, not just cut cost
18
20. Q&A and Additional Resources
• 2012 State of Network Security – Report
http://www.algosec.com/en/resources/network_security_2012
• Firewall Configuration Errors Revisited
(Research by Prof. Avishai Wool)
http://arxiv.org/abs/0911.1240
• Firewall Management ROI Calculator
http://www.algosec.com/resources/roi_calculator/
• Evaluate the AlgoSec Security Management Suite
AlgoSec.com/eval
20