As firewall admins and installers (for history buffs, I was a firewall admin and also a TIS Gauntlet firewall installer back in the 90s), we know how much time it can take to write a truly effective list of firewall rules - and to confirm that no previous rule overshadows, contradicts, or renders ineffective a rule further down the list. But if you're trying to explain to a manager or executive why the process is so tricky - and if done improperly can lead to large, unexpected exposures - you might be met with blank stares. Even if a manager does have an understanding of the issue, many assume that the problem has been solved by the firewall manufacturers. Surely this can't still be an issue in 2011? Well, it is.
Why? Oftentimes, it is because it is surprisingly difficult to translate the implications to the folks earmarking funds to solve the problem. While non-security professionals can connect to the idea of layered security, it's easy for them to miss the big picture when it comes to the complexities of firewall rules. Personal, physical layered security might look like this: a person with valuables lives in a gated community, has an alarm system on their house, and keeps very high value items in a locked safe. Security controls may go like this: everyone who lives in the gated community and their trusted family group members have access to through the gate. For each house, only members of that household have access to the alarm code. And the wall safe's unlock code is known only by the owner of the house and one other person. This set-up sounds very secure and orderly doesn't it?
Now consider a scenario where a person who gets through the gates creates an override situation on all the other security layers. Anyone that passes the gate as an authorized user can get into any house in the community, because the alarms are no longer active, and these same people can access the valuables in all the wall safes because the locks are automatically unlocked for authorized entrants that passed the gate. Sound a little crazy? Welcome to the world of firewall shadow rules.
In order to manage firewall rules in a risk reductive manner, admins need to invest time or money in manually auditing and reviewing configurations in a 3rd party audit and analysis tool. Manual time can seem "free" to an organization because full time employees can absorb some of that cost by working extra hours yet still receiving their regular salaries. Of course the real cost isn't "free" at all - at some point, an employee will have maxed out their available work hours and a new headcount will be required to cover the extra work. Weighing the cost of additional headcount against the cost of an automated tool can be a compelling argument for a purchase, but first that argument needs to be presented to executives in a manner that makes sense to them.
Chances are most executives don't want to have to learn about the intricacies of firewall management, they just want to know what the data and business risks can cost the business. Our story about the gated community and the house safes is a good possible first pass at an explanation for executives, but to make it real those concepts need to be extended to more realistic business scenarios. You've probably got some great stories of your own, but to get us started here's an example. The expensive perimeter firewalls have been configured with a highly granular series of rule sets to block access to an internal HR application that houses salary and health information of employees so that only authorized remote employees and critical services can access it. Problem is, there's a rule higher up in the firewall rule set and overrides all of the subsequent complex rules and allows any system access to that HR app.
Manual review didn't catch it and all the time spent creating the complex rules was wasted, as well as potentially incurring further expense down the road (a failed PCI audit, for example).
Will that resonate with your executives? Having executives on board with the importance of proper firewall configuration is a huge step.
Now let's return to the headcount issue and quantify the amount of time it takes to actually get the rules right.
- How many firewalls are there in your organization?
- How much time has been spent in the past to ensure the rules are written well and working as expected?
- How many hours are spent reviewing configurations and analyzing risk each time a business unit owner asks for a change to the rules so that a new application or service can be put into production?
- And how many times are changes requested per month or per year?
Calculate out the number of hours and the cost of those hours to get a firm number.
Now calculate how much of this time could be saved if an automated tool were in use. Subtract the cost of hours saved from the cost of the tool and create a savings sheet for a 1-5 year time frame. Another way to demonstrate ongoing value of investing in automation could be to measure the accuracy of rule changes using an automated tool v. a manual review, or as a troubleshooting tool for firewall related incident or outages. If the tool will save significant money for the company, and reduce risks from misconfiguration in the process, it shouldn't be too hard to convince executives that it's a worthwhile investment.
In the second part of this two-part post we'll take a look at the change management and risk analysis costs associated with firewall configuration and management.
Diana Kelley is 20 year veteran in the field of networking and information security. She is a founding partner at SecurityCurve, previously she was VP and Service Director for SRMS at Burton Group, a Manager in KPMG Financial Services consulting and a TIS certified Gauntlet firewall installer. She speaks often on the subject of data and network security and is a frequent contributor to SearchSecurity.techtarget.com.