I had a discussion recently with a customer regarding firewall “ownership”. Not which group owns the firewall (typically network, firewall or security) but actually taking ownership of the access rules within the firewall. Sounds pretty boring, huh? Perhaps, but it is one of the most critical components your company can have in a layered security model.
This very talented and dedicated security engineer had just completed a project that frankly, most companies don’t even attempt or even seriously contemplate. A complete scrub of an in-place firewall and refresh of all rule sets and the business justification behind each one. Typically, our customers prefer that we simply provide the initial cutover and ruleset migration. When asked the question whether they would like to do a complete review of rulesets and configuration with business justification (example: Does customer B really require full IP access from the DMZ to the INSIDE network?), 90% of our customers defer any type of “scrubbing” of firewall rules and prefer to migrate existing firewalls and rulesets as is.
In my customer discussion, I mentioned the statistic above (about 90% of companies fail to scrub their firewall…), and this engineer, who is one of the best I have ever worked with, simply couldn’t believe it. Sometimes, I can’t either. It’s difficult for me to comprehend why companies don’t take the time during firewall refresh cycles to analyze and justify each rule allowing access thru the firewall. Or, better yet, schedule regular scrubs. I understand, it takes a lot of time. A lot of time. But, the reality is that the firewall is your first perimeter defensive layer. Without adequate review, it can become filled with access holes that don’t meet regular scrutiny and can allow access to vendors no longer requiring access. Even worse, it could be preventing your firewall admins from realizing and completely understanding what is coming through your perimeter due to complexity, poor documentation or simple misconfiguration.
The firewalls that don’t get regular reviews are out of touch with current business and security policies. (Yep, business policies. That’s really what your firewall is about… enforcing your business policies.). Whatever the stated reason, most companies don’t do a firewall refresh for a few simple reasons. It’s either too expensive (to have a consultant do it), a low priority (lack of security focus) or their own network or security engineers simply don’t have “ownership” of the firewall. Which leads me to my second point of this post…
Taking Ownership of Your Firewall
No matter which group technically owns the firewall, there seems to be a constant debate over ownership of the rulesets. When a firewall admin performs a firewall refresh, it’s critical that the engineer have the support of the business, the overall security organization, and upper management to justify each access through NAT, ACL or VPN (site to site or remote access). The particular firewall refresh for the customer I mentioned above took approximately two months to convert existing access rules, delete unused access through the firewall, and document existing rules. What it ultimately did was to force the business to assume ownership of the firewall. Kind of a different concept, but it pushed each ruleset down to the business owner (data owner, if you will).
Additionally, and perhaps the best side effect of reviewing the firewall, was creating that same ownership of the firewall with the engineer. By the end of the analysis, review and configuration, the engineer knew that firewall and its rulesets intimately – and so did the business. Sure, they won’t understand the ACL, NAT statements or any technical component, but each and every access through the firewall is now known, documented and “alive” to the business. It has allowed them, both the engineer and the business, to better protect their network as well as assume ownership of their firewall. It’s great talking with this engineer and seeing the sheer confidence that he knows exactly what is going on with his firewall and the access allowed through it. Do you know what’s coming through your firewall?
Learn more about EDCi’s Security offerings and how we can help you with your firewall!