Manually Auditing Firewalls: The Hidden Cost!

Firewall

The manual administration of firewalls is hurting the purse strings! That’s according to the preliminary results of an annual survey called the “firewall operations and compliance survey”, which shows that IT is getting seriously stung in terms of cost and time when it comes to manually auditing and managing rule changes on firewalls – all completely unnecessarily.

The survey found that every second firewall admin is locating firewall rules that overlap or are redundant by manually inspecting the policy. Not only that this is very much time consuming , the human mind just can’t calculate all the permutations that a machine can calculate in milliseconds.

This approach to policy remediation may have worked when DEC developed the first packet filters in 1988 and AT&T went on to develop stateful filtering technologies some two years later, but not anymore.

Those developments were, of course, more than 20 years ago, and firewall scripting – let alone policy technology – was in very much in its infancy. Even back in the early 1990s, however, some degree of automation was possible. And now here we are in 2011 and 50 per cent of admins are inspecting their firewall policies using a manual approach – this is an extraordinary waste of programming talents.

Even though any networking novice will tell you that automated firewall policy analysis is now possible, the use of a manual approach is not only cumbersome and time-consuming, it also begs the question as to how accurate a manual analysis can be. People get tired and make mistakes – computers and programs do not.

The findings of this research suggests that just seven per cent of organisations are taking a completely automated approach to their firewall audits, with 70 per cent either undertaking the process manually or – perhaps worse – not doing anything at all in this regard.

And yet it doesn’t have to be this way, as even a semi-automated approach to firewall policy analysis and auditing can pay dividends, as it allows IT security professionals to deal with more important tasks – and so minimise the time needed to conduct routine audits and allied firewall security processes.

In a previous survey of IT professionals in the summer of last year, Tufin found that almost 10 per cent admitted to cheating to pass a firewall audit. This was largely down to a result of a lack of time or resources than any misguided intentions.

The irony of this survey is that the 2010 survey was actually an improvement on the previous year’s results, which found twice as many respondents had cheated.

Of the 10 per cent in the 2010 survey who admitted to cheating on an audit, half of them cited time restraints and 22 per cent cited resource constraints. 11 percent said that they didn’t see the point of doing the audit and same volumes against had other reasons which they did not elaborate on.

The preliminary results from this year’s survey are arguably more interesting, as no-one can say that they have to complete a firewall policy analysis and audit manually because of lack of resources. There are plenty of solutions that can help automated the process, so there really is no excuse for this curious Luddite approach to enhancing the effectiveness of a network firewall.

As Chief Security Architect, Michael Hamelin identifies and champions the security standards and processes for Tufin Software Technologies. Bringing more than 15 years of security domain expertise to Tufin, Michael has deep hands-on technical knowledge in security architecture, penetration testing, intrusion detection, and anomalous detection of rouge traffic. He has authored numerous courses in information security and worked as a consultant, security analyst, forensics lead, and security practice manager. He is also a featured security speaker around the world widely regarded as a leading technical thinker in information security. Michael previously held technical leadership positions at VeriSign, Cox Communications, and Resilience. Prior to joining Tufin he was the Principal Network and Security Architect for ChoicePoint. Michael received Bachelor of Science degrees in Chemistry and Physics from Norwich University, and did his graduate work at Texas A&M University.