Welcome!

Microservices Expo Authors: PagerDuty Blog, Elizabeth White, JP Morgenthal, Gopala Krishna Behara, Sridhar Chalasani

Related Topics: Cloud Security, Microservices Expo, Containers Expo Blog, @CloudExpo

Cloud Security: Article

Top Ten Firewall Management Metrics that Matter…and Why

Proper attention to these metrics will keep your firewalls optimized

If you look at some of the headline-making breaches of the past few years, they all occurred at large companies with highly dynamic and complex computing environments. Securing these environments is impossible to do without automation, which is why so much of the innovation in IT security in recent years has been focused on automating security management.

Network security is one area where systems have become too complex to manage manually. Let's take firewalls as a case in point. A single firewall can have hundreds or thousands of rules, each made up of three components: source, destination and service. Next-generation firewalls add at least two additional fields - users and applications.

Larger companies have hundreds of firewalls, usually from multiple vendors, in multiple geographies, managed by different people. That's just for starters - any number of factors can exponentially increase the degree of firewall complexity. While rare, in extreme situations a particularly bloated or neglected rule base - or even a simple typo while configuring a rule - if left untended, can result in a situation where a firewall can introduce more risk than it prevents.

The only way to get your brain around the state of your firewalls is to audit them. While manual audits can be painful (not to mention error prone), it may be the best way to fast-track proper firewall management. Regardless of whether an audit is manual or automated, here are some important metrics to look for:

  1. Number of shadowed or redundant rules: Shadowed rules refer to rules that are masked, completely or partially, by other rules that are either placed higher up in the rule base. Shadowed rules are very common because administrators add new firewall rules all the time but for a variety of reasons - fear of causing an outage, or not knowing why a rule was added in the first place - rarely delete them. A rule base filled with shadowed rules is not only inefficient, it puts a much greater strain on the firewall then is necessary, which can lead to performance issues.
  2. Number of unused rules: Unused rules will appear rarely, if at all, in firewall logs because they aren't being used for legitimate traffic. Unused rules can lead to serious exposures, such as allowing access to a server that is no longer being used and, as a result, exposing a service likely not properly patched. Looking for unused rules manually can be an extremely slow and tedious process, which is why admins hate to do it. However, automated solutions can make auditing for unused rules both manageable and simple.
  3. Number of unused objects: An object is a component of a rule, and a single field of a rule (i.e., source, destination or service) can have multiple objects - such as a business unit having access to multiple destinations and/or services. Not only do unused objects appear much more frequently than unused rules, they are that much harder to find manually. Cleaning up unused objects can significantly tighten up a rule base and often lead to improved performance.
  4. Number of rules with permissive services: The most common examples of this are rules with "ANY " in the service field, but in general, permissive services give more access then is needed to the destination by allowing additional services (which are often applications), which can lead to unauthorized use, allow the service to be a springboard to other parts of the network, or leave it exposed to malicious activity.
  5. Number of rules with risky services (such as telnet, ftp, snmp, pop, etc.) in general or between zones (i.e., between Internal, DMZ, External, or between development and production networks): Risky services are deemed risky because they usually allow credentials to be passed in plain text, often contain sensitive info or enable access to sensitive systems. Any service that exposes sensitive data or allows for shell access should be tightly monitored and controlled.
  6. Number of expired rules: Any rule that was created on a temporary basis and has clearly expired is just taking up space and does not need to remain in the rule base. If there is no documentation as to when or why the rule expired, check the firewall logs for its "hit count" (or usage, in firewall management-speak).
  7. Number of unauthorized changes: These are rules that are not associated with a specific change ticket. In order to ensure all requests are properly handled, all requests, from initial request to final implementation, and should be managed via a ticketing system. If a change causes a problem and no one has any clue why the change was made, who made it, whether it was assessed for compliance and/or security risk, who approved, etc., it results in a huge waste of resources, and is a clear indicator that firewall management processes are inefficient.
  8. Percentage of changes made outside of authorized change windows: Outages in IT are usually caused by the work IT does. In order to minimize business disruption, change windows are usually set during times when the least amount of people are on the network - for example, firewall admins like to implement rule changes late at night, usually on the weekends. That way, if there is an outage it is much easier to track which change caused it and how. If the majority of changes are made outside of normal change windows, it is usually because admins are spending too much time putting out fires, which indicates the firewall management processes are in need of an overhaul.
  9. Number of rules with no documentation: While the comments section of a firewall rule has text limits that inhibit proper documentation, all change tickets have a comments section, which can be used to provide a business justification for the rule. Some people use spreadsheets to capture this information although using a spreadsheet as a central repository for change information leads to the same issues as with other manual processes. Without proper documentation there is no way to know why a rule was implemented and if it is still necessary.
  10. Number of rules with no logging: Proper firewall management is impossible without leveraging the data found in firewall logs. Similar to other areas of IT, there was a resistance to turning on logging because it would cause performance issues. However, firewall (and firewall management) technology has evolved to the point where logging no longer impacts performance. If there are performance issues with your firewalls, than something else in your environment is not optimal. Determining rule and object usage (numbers two and three in this list) are impossible to do without logging, as is proper forensics and troubleshooting. The advent of automated tools for firewall management makes scanning logs for relevant data a highly manageable endeavor.

Plenty of lip service has been given to the credo that good IT is a function of people, process and technology. Given the fast pace of modern business, breakdowns are bound to happen, and unless a company decides to not use the Internet, they will always be facing a certain level of exposure. While there will never be silver bullet for security, the good news is that proper attention to the metrics above will keep your firewalls optimized so that they remain one of your strongest and most reliable security assets and not a potential liability.

More Stories By Michael Hamelin

Michael Hamelin is Chief Security Architect at Tufin Technologies where he identifies and champions the security standards and processes for Tufin. Bringing more than 16 years of security domain expertise to Tufin, Hamelin has deep hands-on technical knowledge in security architecture, penetration testing, intrusion detection, and anomalous detection of rogue traffic. He has authored numerous courses in information security and worked as a consultant, security analyst, forensics lead, and security practice manager. He is also a featured security speaker around the world widely regarded as a leading technical thinker in information security.

Hamelin previously held technical leadership positions at VeriSign, Cox Communications, and Resilience. Prior to joining Tufin he was the Principal Network and Security Architect for ChoicePoint, a LexisNexis Company. Hamelin received BS degrees in Chemistry and Physics from Norwich University, and did his graduate work at Texas A&M University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
SYS-CON Events announced today that HTBase will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. HTBase (Gartner 2016 Cool Vendor) delivers a Composable IT infrastructure solution architected for agility and increased efficiency. It turns compute, storage, and fabric into fluid pools of resources that are easily composed and re-composed to meet each application’s needs. With HTBase, companies can quickly prov...
Microservices (μServices) are a fascinating evolution of the Distributed Object Computing (DOC) paradigm. Initial design of DOC attempted to solve the problem of simplifying developing complex distributed applications by applying object-oriented design principles to disparate components operating across networked infrastructure. In this model, DOC “hid” the complexity of making this work from the developer regardless of the deployment architecture through the use of complex frameworks, such as C...
What if you could build a web application that could support true web-scale traffic without having to ever provision or manage a single server? Sounds magical, and it is! In his session at 20th Cloud Expo, Chris Munns, Senior Developer Advocate for Serverless Applications at Amazon Web Services, will show how to build a serverless website that scales automatically using services like AWS Lambda, Amazon API Gateway, and Amazon S3. We will review several frameworks that can help you build serverle...
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
As Enterprise business moves from Monoliths to Microservices, adoption and successful implementations of Microservices become more evident. The goal of Microservices is to improve software delivery speed and increase system safety as scale increases. Documenting hurdles and problems for the use of Microservices will help consultants, architects and specialists to avoid repeating the same mistakes and learn how and when to use (or not use) Microservices at the enterprise level. The circumstance w...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In his Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, will explore t...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
The IT industry is undergoing a significant evolution to keep up with cloud application demand. We see this happening as a mindset shift, from traditional IT teams to more well-rounded, cloud-focused job roles. The IT industry has become so cloud-minded that Gartner predicts that by 2020, this cloud shift will impact more than $1 trillion of global IT spending. This shift, however, has left some IT professionals feeling a little anxious about what lies ahead. The good news is that cloud computin...
@DevOpsSummit at Cloud taking place June 6-8, 2017, at Javits Center, New York City, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long developm...
Everyone wants to use containers, but monitoring containers is hard. New ephemeral architecture introduces new challenges in how monitoring tools need to monitor and visualize containers, so your team can make sense of everything. In his session at @DevOpsSummit, David Gildeh, co-founder and CEO of Outlyer, will go through the challenges and show there is light at the end of the tunnel if you use the right tools and understand what you need to be monitoring to successfully use containers in your...
In his General Session at 16th Cloud Expo, David Shacochis, host of The Hybrid IT Files podcast and Vice President at CenturyLink, investigated three key trends of the “gigabit economy" though the story of a Fortune 500 communications company in transformation. Narrating how multi-modal hybrid IT, service automation, and agile delivery all intersect, he will cover the role of storytelling and empathy in achieving strategic alignment between the enterprise and its information technology.
Without a clear strategy for cost control and an architecture designed with cloud services in mind, costs and operational performance can quickly get out of control. To avoid multiple architectural redesigns requires extensive thought and planning. Boundary (now part of BMC) launched a new public-facing multi-tenant high resolution monitoring service on Amazon AWS two years ago, facing challenges and learning best practices in the early days of the new service.
All organizations that did not originate this moment have a pre-existing culture as well as legacy technology and processes that can be more or less amenable to DevOps implementation. That organizational culture is influenced by the personalities and management styles of Executive Management, the wider culture in which the organization is situated, and the personalities of key team members at all levels of the organization. This culture and entrenched interests usually throw a wrench in the work...
As software becomes more and more complex, we, as software developers, have been splitting up our code into smaller and smaller components. This is also true for the environment in which we run our code: going from bare metal, to VMs to the modern-day Cloud Native world of containers, schedulers and micro services. While we have figured out how to run containerized applications in the cloud using schedulers, we've yet to come up with a good solution to bridge the gap between getting your contain...
TechTarget storage websites are the best online information resource for news, tips and expert advice for the storage, backup and disaster recovery markets. By creating abundant, high-quality editorial content across more than 140 highly targeted technology-specific websites, TechTarget attracts and nurtures communities of technology buyers researching their companies' information technology needs. By understanding these buyers' content consumption behaviors, TechTarget creates the purchase inte...
In recent years, containers have taken the world by storm. Companies of all sizes and industries have realized the massive benefits of containers, such as unprecedented mobility, higher hardware utilization, and increased flexibility and agility; however, many containers today are non-persistent. Containers without persistence miss out on many benefits, and in many cases simply pass the responsibility of persistence onto other infrastructure, adding additional complexity.
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists peeled away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud enviro...
Building custom add-ons does not need to be limited to the ideas you see on a marketplace. In his session at 20th Cloud Expo, Sukhbir Dhillon, CEO and founder of Addteq, will go over some adventures they faced in developing integrations using Atlassian SDK and other technologies/platforms and how it has enabled development teams to experiment with newer paradigms like Serverless and newer features of Atlassian SDKs. In this presentation, you will be taken on a journey of Add-On and Integration ...
True Story. Over the past few years, Fannie Mae transformed the way in which they delivered software. Deploys increased from 1,200/month to 15,000/month. At the same time, productivity increased by 28% while reducing costs by 30%. But, how did they do it? During the All Day DevOps conference, over 13,500 practitioners from around the world to learn from their peers in the industry. Barry Snyder, Senior Manager of DevOps at Fannie Mae, was one of 57 practitioners who shared his real world journe...