Click here to close now.



Welcome!

Microservices Expo Authors: Pat Romanski, Elizabeth White, Liz McMillan, Anders Wallgren, AppDynamics Blog

Related Topics: Cloud Security, Microservices Expo, Containers Expo Blog, @CloudExpo

Cloud Security: Article

Top Ten Firewall Management Metrics that Matter…and Why

Proper attention to these metrics will keep your firewalls optimized

If you look at some of the headline-making breaches of the past few years, they all occurred at large companies with highly dynamic and complex computing environments. Securing these environments is impossible to do without automation, which is why so much of the innovation in IT security in recent years has been focused on automating security management.

Network security is one area where systems have become too complex to manage manually. Let's take firewalls as a case in point. A single firewall can have hundreds or thousands of rules, each made up of three components: source, destination and service. Next-generation firewalls add at least two additional fields - users and applications.

Larger companies have hundreds of firewalls, usually from multiple vendors, in multiple geographies, managed by different people. That's just for starters - any number of factors can exponentially increase the degree of firewall complexity. While rare, in extreme situations a particularly bloated or neglected rule base - or even a simple typo while configuring a rule - if left untended, can result in a situation where a firewall can introduce more risk than it prevents.

The only way to get your brain around the state of your firewalls is to audit them. While manual audits can be painful (not to mention error prone), it may be the best way to fast-track proper firewall management. Regardless of whether an audit is manual or automated, here are some important metrics to look for:

  1. Number of shadowed or redundant rules: Shadowed rules refer to rules that are masked, completely or partially, by other rules that are either placed higher up in the rule base. Shadowed rules are very common because administrators add new firewall rules all the time but for a variety of reasons - fear of causing an outage, or not knowing why a rule was added in the first place - rarely delete them. A rule base filled with shadowed rules is not only inefficient, it puts a much greater strain on the firewall then is necessary, which can lead to performance issues.
  2. Number of unused rules: Unused rules will appear rarely, if at all, in firewall logs because they aren't being used for legitimate traffic. Unused rules can lead to serious exposures, such as allowing access to a server that is no longer being used and, as a result, exposing a service likely not properly patched. Looking for unused rules manually can be an extremely slow and tedious process, which is why admins hate to do it. However, automated solutions can make auditing for unused rules both manageable and simple.
  3. Number of unused objects: An object is a component of a rule, and a single field of a rule (i.e., source, destination or service) can have multiple objects - such as a business unit having access to multiple destinations and/or services. Not only do unused objects appear much more frequently than unused rules, they are that much harder to find manually. Cleaning up unused objects can significantly tighten up a rule base and often lead to improved performance.
  4. Number of rules with permissive services: The most common examples of this are rules with "ANY " in the service field, but in general, permissive services give more access then is needed to the destination by allowing additional services (which are often applications), which can lead to unauthorized use, allow the service to be a springboard to other parts of the network, or leave it exposed to malicious activity.
  5. Number of rules with risky services (such as telnet, ftp, snmp, pop, etc.) in general or between zones (i.e., between Internal, DMZ, External, or between development and production networks): Risky services are deemed risky because they usually allow credentials to be passed in plain text, often contain sensitive info or enable access to sensitive systems. Any service that exposes sensitive data or allows for shell access should be tightly monitored and controlled.
  6. Number of expired rules: Any rule that was created on a temporary basis and has clearly expired is just taking up space and does not need to remain in the rule base. If there is no documentation as to when or why the rule expired, check the firewall logs for its "hit count" (or usage, in firewall management-speak).
  7. Number of unauthorized changes: These are rules that are not associated with a specific change ticket. In order to ensure all requests are properly handled, all requests, from initial request to final implementation, and should be managed via a ticketing system. If a change causes a problem and no one has any clue why the change was made, who made it, whether it was assessed for compliance and/or security risk, who approved, etc., it results in a huge waste of resources, and is a clear indicator that firewall management processes are inefficient.
  8. Percentage of changes made outside of authorized change windows: Outages in IT are usually caused by the work IT does. In order to minimize business disruption, change windows are usually set during times when the least amount of people are on the network - for example, firewall admins like to implement rule changes late at night, usually on the weekends. That way, if there is an outage it is much easier to track which change caused it and how. If the majority of changes are made outside of normal change windows, it is usually because admins are spending too much time putting out fires, which indicates the firewall management processes are in need of an overhaul.
  9. Number of rules with no documentation: While the comments section of a firewall rule has text limits that inhibit proper documentation, all change tickets have a comments section, which can be used to provide a business justification for the rule. Some people use spreadsheets to capture this information although using a spreadsheet as a central repository for change information leads to the same issues as with other manual processes. Without proper documentation there is no way to know why a rule was implemented and if it is still necessary.
  10. Number of rules with no logging: Proper firewall management is impossible without leveraging the data found in firewall logs. Similar to other areas of IT, there was a resistance to turning on logging because it would cause performance issues. However, firewall (and firewall management) technology has evolved to the point where logging no longer impacts performance. If there are performance issues with your firewalls, than something else in your environment is not optimal. Determining rule and object usage (numbers two and three in this list) are impossible to do without logging, as is proper forensics and troubleshooting. The advent of automated tools for firewall management makes scanning logs for relevant data a highly manageable endeavor.

Plenty of lip service has been given to the credo that good IT is a function of people, process and technology. Given the fast pace of modern business, breakdowns are bound to happen, and unless a company decides to not use the Internet, they will always be facing a certain level of exposure. While there will never be silver bullet for security, the good news is that proper attention to the metrics above will keep your firewalls optimized so that they remain one of your strongest and most reliable security assets and not a potential liability.

More Stories By Michael Hamelin

Michael Hamelin is Chief Security Architect at Tufin Technologies where he identifies and champions the security standards and processes for Tufin. Bringing more than 16 years of security domain expertise to Tufin, Hamelin has deep hands-on technical knowledge in security architecture, penetration testing, intrusion detection, and anomalous detection of rogue traffic. He has authored numerous courses in information security and worked as a consultant, security analyst, forensics lead, and security practice manager. He is also a featured security speaker around the world widely regarded as a leading technical thinker in information security.

Hamelin previously held technical leadership positions at VeriSign, Cox Communications, and Resilience. Prior to joining Tufin he was the Principal Network and Security Architect for ChoicePoint, a LexisNexis Company. Hamelin received BS degrees in Chemistry and Physics from Norwich University, and did his graduate work at Texas A&M University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
SYS-CON Events announced today that Catchpoint Systems, Inc., a provider of innovative web and infrastructure monitoring solutions, has been named “Silver Sponsor” of SYS-CON's DevOps Summit at 18th Cloud Expo New York, which will take place June 7-9, 2016, at the Javits Center in New York City, NY. Catchpoint is a leading Digital Performance Analytics company that provides unparalleled insight into customer-critical services to help consistently deliver an amazing customer experience. Designed...
With the proliferation of both SQL and NoSQL databases, organizations can now target specific fit-for-purpose database tools for their different application needs regarding scalability, ease of use, ACID support, etc. Platform as a Service offerings make this even easier now, enabling developers to roll out their own database infrastructure in minutes with minimal management overhead. However, this same amount of flexibility also comes with the challenges of picking the right tool, on the right ...
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2015 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 ad...
Microservices are all the rage right now — and the industry is still learning, experimenting, and developing patterns, for successfully designing, deploying and managing Microservices in the real world. Are you considering jumping on the Microservices-wagon? Do Microservices make sense for your particular use case? What are some of the “gotchas” you should be aware of? This morning on #c9d9 we had experts from popular chat app Kik, SMB SaaS platform Yodle and hosted CI solution Semaphore sha...
SYS-CON Events announced today that Commvault, a global leader in enterprise data protection and information management, has been named “Bronze Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY, and the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Commvault is a leading provider of data protection and information management...
Microservices are a type of software architecture where large applications are made up of small, self-contained units working together through APIs that are not dependent on a specific language. Each service has a limited scope, concentrates on a specific task and is highly independent. This setup allows IT managers and developers to build systems in a modular way. In his book, “Building Microservices,” Sam Newman said microservices are small, focused components built to do a single thing very w...
With an estimated 50 billion devices connected to the Internet by 2020, several industries will begin to expand their capabilities for retaining end point data at the edge to better utilize the range of data types and sheer volume of M2M data generated by the Internet of Things. In his session at @ThingsExpo, Don DeLoach, CEO and President of Infobright, will discuss the infrastructures businesses will need to implement to handle this explosion of data by providing specific use cases for filte...
SYS-CON Events announced today that Avere Systems, a leading provider of enterprise storage for the hybrid cloud, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Avere delivers a more modern architectural approach to storage that doesn’t require the overprovisioning of storage capacity to achieve performance, overspending on expensive storage media for inactive data or the overbuilding of data centers ...
CIOs and those charged with running IT Operations are challenged to deliver secure, audited, and reliable compute environments for the applications and data for the business. Behind the scenes these tasks are often accomplished by following onerous time-consuming processes and often the management of these environments and processes will be outsourced to multiple IT service providers. In addition, the division of work is often siloed into traditional "towers" that are not well integrated for cro...
SYS-CON Events announced today that Alert Logic, Inc., the leading provider of Security-as-a-Service solutions for the cloud, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Alert Logic, Inc., provides Security-as-a-Service for on-premises, cloud, and hybrid infrastructures, delivering deep security insight and continuous protection for customers at a lower cost than traditional security solutions. Ful...
In most cases, it is convenient to have some human interaction with a web (micro-)service, no matter how small it is. A traditional approach would be to create an HTTP interface, where user requests will be dispatched and HTML/CSS pages must be served. This approach is indeed very traditional for a web site, but not really convenient for a web service, which is not intended to be good looking, 24x7 up and running and UX-optimized. Instead, talking to a web service in a chat-bot mode would be muc...
SYS-CON Events announced today that AppNeta, the leader in performance insight for business-critical web applications, will exhibit and present at SYS-CON's @DevOpsSummit at Cloud Expo New York, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. AppNeta is the only application performance monitoring (APM) company to provide solutions for all applications – applications you develop internally, business-critical SaaS applications you use and the networks that deli...
More and more companies are looking to microservices as an architectural pattern for breaking apart applications into more manageable pieces so that agile teams can deliver new features quicker and more effectively. What this pattern has done more than anything to date is spark organizational transformations, setting the foundation for future application development. In practice, however, there are a number of considerations to make that go beyond simply “build, ship, and run,” which changes ho...
WebSocket is effectively a persistent and fat pipe that is compatible with a standard web infrastructure; a "TCP for the Web." If you think of WebSocket in this light, there are other more hugely interesting applications of WebSocket than just simply sending data to a browser. In his session at 18th Cloud Expo, Frank Greco, Director of Technology for Kaazing Corporation, will compare other modern web connectivity methods such as HTTP/2, HTTP Streaming, Server-Sent Events and new W3C event APIs ...
SYS-CON Events announced today that Men & Mice, the leading global provider of DNS, DHCP and IP address management overlay solutions, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. The Men & Mice Suite overlay solution is already known for its powerful application in heterogeneous operating environments, enabling enterprises to scale without fuss. Building on a solid range of diverse platform support,...
The (re?)emergence of Microservices was especially prominent in this week’s news. What are they good for? do they make sense for your application? should you take the plunge? and what do Microservices mean for your DevOps and Continuous Delivery efforts? Continue reading for more on Microservices, containers, DevOps culture, and more top news from the past week. As always, stay tuned to all the news coming from@ElectricCloud on DevOps and Continuous Delivery throughout the week and retweet/favo...
How is your DevOps transformation coming along? How do you measure Agility? Reliability? Efficiency? Quality? Success?! How do you optimize your processes? This morning on #c9d9 we talked about some of the metrics that matter for the different stakeholders throughout the software delivery pipeline. Our panelists shared their best practices.
In a previous article, I demonstrated how to effectively and efficiently install the Dynatrace Application Monitoring solution using Ansible. In this post, I am going to explain how to achieve the same results using Chef with our official dynatrace cookbook available on GitHub and on the Chef Supermarket. In the following hands-on tutorial, we’ll also apply what we see as good practice on working with and extending our deployment automation blueprints to suit your needs.
Sensors and effectors of IoT are solving problems in new ways, but small businesses have been slow to join the quantified world. They’ll need information from IoT using applications as varied as the businesses themselves. In his session at @ThingsExpo, Roger Meike, Distinguished Engineer, Director of Technology Innovation at Intuit, showed how IoT manufacturers can use open standards, public APIs and custom apps to enable the Quantified Small Business. He used a Raspberry Pi to connect sensors...
Let’s face it, embracing new storage technologies, capabilities and upgrading to new hardware often adds complexity and increases costs. In his session at 18th Cloud Expo, Seth Oxenhorn, Vice President of Business Development & Alliances at FalconStor, will discuss how a truly heterogeneous software-defined storage approach can add value to legacy platforms and heterogeneous environments. The result reduces complexity, significantly lowers cost, and provides IT organizations with improved effi...