Click here to close now.

Welcome!

Microservices Journal Authors: Yeshim Deniz, Roger Strukhoff, Leo Reiter, Liz McMillan, Pat Romanski

Related Topics: Security, Microservices Journal, Virtualization, Cloud Expo

Security: Article

Top Ten Firewall Management Metrics that Matter…and Why

Proper attention to these metrics will keep your firewalls optimized

If you look at some of the headline-making breaches of the past few years, they all occurred at large companies with highly dynamic and complex computing environments. Securing these environments is impossible to do without automation, which is why so much of the innovation in IT security in recent years has been focused on automating security management.

Network security is one area where systems have become too complex to manage manually. Let's take firewalls as a case in point. A single firewall can have hundreds or thousands of rules, each made up of three components: source, destination and service. Next-generation firewalls add at least two additional fields - users and applications.

Larger companies have hundreds of firewalls, usually from multiple vendors, in multiple geographies, managed by different people. That's just for starters - any number of factors can exponentially increase the degree of firewall complexity. While rare, in extreme situations a particularly bloated or neglected rule base - or even a simple typo while configuring a rule - if left untended, can result in a situation where a firewall can introduce more risk than it prevents.

The only way to get your brain around the state of your firewalls is to audit them. While manual audits can be painful (not to mention error prone), it may be the best way to fast-track proper firewall management. Regardless of whether an audit is manual or automated, here are some important metrics to look for:

  1. Number of shadowed or redundant rules: Shadowed rules refer to rules that are masked, completely or partially, by other rules that are either placed higher up in the rule base. Shadowed rules are very common because administrators add new firewall rules all the time but for a variety of reasons - fear of causing an outage, or not knowing why a rule was added in the first place - rarely delete them. A rule base filled with shadowed rules is not only inefficient, it puts a much greater strain on the firewall then is necessary, which can lead to performance issues.
  2. Number of unused rules: Unused rules will appear rarely, if at all, in firewall logs because they aren't being used for legitimate traffic. Unused rules can lead to serious exposures, such as allowing access to a server that is no longer being used and, as a result, exposing a service likely not properly patched. Looking for unused rules manually can be an extremely slow and tedious process, which is why admins hate to do it. However, automated solutions can make auditing for unused rules both manageable and simple.
  3. Number of unused objects: An object is a component of a rule, and a single field of a rule (i.e., source, destination or service) can have multiple objects - such as a business unit having access to multiple destinations and/or services. Not only do unused objects appear much more frequently than unused rules, they are that much harder to find manually. Cleaning up unused objects can significantly tighten up a rule base and often lead to improved performance.
  4. Number of rules with permissive services: The most common examples of this are rules with "ANY " in the service field, but in general, permissive services give more access then is needed to the destination by allowing additional services (which are often applications), which can lead to unauthorized use, allow the service to be a springboard to other parts of the network, or leave it exposed to malicious activity.
  5. Number of rules with risky services (such as telnet, ftp, snmp, pop, etc.) in general or between zones (i.e., between Internal, DMZ, External, or between development and production networks): Risky services are deemed risky because they usually allow credentials to be passed in plain text, often contain sensitive info or enable access to sensitive systems. Any service that exposes sensitive data or allows for shell access should be tightly monitored and controlled.
  6. Number of expired rules: Any rule that was created on a temporary basis and has clearly expired is just taking up space and does not need to remain in the rule base. If there is no documentation as to when or why the rule expired, check the firewall logs for its "hit count" (or usage, in firewall management-speak).
  7. Number of unauthorized changes: These are rules that are not associated with a specific change ticket. In order to ensure all requests are properly handled, all requests, from initial request to final implementation, and should be managed via a ticketing system. If a change causes a problem and no one has any clue why the change was made, who made it, whether it was assessed for compliance and/or security risk, who approved, etc., it results in a huge waste of resources, and is a clear indicator that firewall management processes are inefficient.
  8. Percentage of changes made outside of authorized change windows: Outages in IT are usually caused by the work IT does. In order to minimize business disruption, change windows are usually set during times when the least amount of people are on the network - for example, firewall admins like to implement rule changes late at night, usually on the weekends. That way, if there is an outage it is much easier to track which change caused it and how. If the majority of changes are made outside of normal change windows, it is usually because admins are spending too much time putting out fires, which indicates the firewall management processes are in need of an overhaul.
  9. Number of rules with no documentation: While the comments section of a firewall rule has text limits that inhibit proper documentation, all change tickets have a comments section, which can be used to provide a business justification for the rule. Some people use spreadsheets to capture this information although using a spreadsheet as a central repository for change information leads to the same issues as with other manual processes. Without proper documentation there is no way to know why a rule was implemented and if it is still necessary.
  10. Number of rules with no logging: Proper firewall management is impossible without leveraging the data found in firewall logs. Similar to other areas of IT, there was a resistance to turning on logging because it would cause performance issues. However, firewall (and firewall management) technology has evolved to the point where logging no longer impacts performance. If there are performance issues with your firewalls, than something else in your environment is not optimal. Determining rule and object usage (numbers two and three in this list) are impossible to do without logging, as is proper forensics and troubleshooting. The advent of automated tools for firewall management makes scanning logs for relevant data a highly manageable endeavor.

Plenty of lip service has been given to the credo that good IT is a function of people, process and technology. Given the fast pace of modern business, breakdowns are bound to happen, and unless a company decides to not use the Internet, they will always be facing a certain level of exposure. While there will never be silver bullet for security, the good news is that proper attention to the metrics above will keep your firewalls optimized so that they remain one of your strongest and most reliable security assets and not a potential liability.

More Stories By Michael Hamelin

Michael Hamelin is Chief Security Architect at Tufin Technologies where he identifies and champions the security standards and processes for Tufin. Bringing more than 16 years of security domain expertise to Tufin, Hamelin has deep hands-on technical knowledge in security architecture, penetration testing, intrusion detection, and anomalous detection of rogue traffic. He has authored numerous courses in information security and worked as a consultant, security analyst, forensics lead, and security practice manager. He is also a featured security speaker around the world widely regarded as a leading technical thinker in information security.

Hamelin previously held technical leadership positions at VeriSign, Cox Communications, and Resilience. Prior to joining Tufin he was the Principal Network and Security Architect for ChoicePoint, a LexisNexis Company. Hamelin received BS degrees in Chemistry and Physics from Norwich University, and did his graduate work at Texas A&M University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
ProfitBricks, the provider of painless cloud infrastructure for IaaS, today announced the release of a Node.js SDK written against its recently launched REST API. This new JavaScript based library provides coverage for all existing ProfitBricks REST API functions. With additional libraries set to release this month, ProfitBricks continues to prove its dedication to the DevOps community and commitment to making cloud migrations and cloud management painless. Node.js is an open source, cross-pl...
The stack is the hack, Jack. That's my takeaway from several events I attended over the past few weeks in Silicon Valley and Southeast Asia. I listened to and participated in discussions about everything from large datacenter management (think Facebook Open Compute) to enterprise-level cyberfraud (at a seminar in Manila attended by the US State Dept. and Philippine National Police) to the world of entrepreneurial startups, app deployment, and mobility (in a series of meetups and talks in bot...
What’s hot in today’s cloud computing world? Containers are fast becoming a viable alternative to virtualization for the right use cases. But to understand why containers can be a better option, we need to first understand their origins. In basic terms, containers are application-centric environments that help isolate and run workloads far more efficiently than the traditional hypervisor technology found in commodity cloud Infrastructure as a Service. Modern operating systems (Linux, Windows, e...
SYS-CON Events announced today that Vicom Computer Services, Inc., a provider of technology and service solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. They are located at booth #427. Vicom Computer Services, Inc. is a progressive leader in the technology industry for over 30 years. Headquartered in the NY Metropolitan area. Vicom provides products and services based on today’s requirements...
SYS-CON Events announced today that Blue Box has been named “Bronze Sponsor” of SYS-CON's DevOps Summit New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Blue Box delivers Private Cloud as a Service (PCaaS) to a worldwide customer base. Built on a technology platform leveraging decades of operational expertise in cloud and distributed systems, Blue Box Cloud is a managed private cloud product available in both hosted and on-prem versions. Each Blue Box ...
Chuck Piluso will present a study of cloud adoption trends and the power and flexibility of IBM Power and Pureflex cloud solutions. Speaker Bio: Prior to Data Storage Corporation (DSC), Mr. Piluso founded North American Telecommunication Corporation, a facilities-based Competitive Local Exchange Carrier licensed by the Public Service Commission in 10 states, serving as the company's chairman and president from 1997 to 2000. Between 1990 and 1997, Mr. Piluso served as chairman & founder of ...
SYS-CON Events announced today that Soha will exhibit at SYS-CON's DevOps Summit New York, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Soha delivers enterprise-grade application security, on any device, as agile as the cloud. This turnkey, cloud-based service enables customers to solve secure application access and delivery challenges that traditional or virtualized network solutions cannot solve because they are too expensive, inflexible and operational...
of cloud, colocation, managed services and disaster recovery solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. TierPoint, LLC, is a leading national provider of information technology and data center services, including cloud, colocation, disaster recovery and managed IT services, with corporate headquarters in St. Louis, MO. TierPoint was formed through the strategic combination of some of t...
SYS-CON Events announced today that Ciqada will exhibit at SYS-CON's @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Ciqada™ makes it easy to connect your products to the Internet. By integrating key components - hardware, servers, dashboards, and mobile apps - into an easy-to-use, configurable system, your products can quickly and securely join the internet of things. With remote monitoring, control, and alert messaging capability, you will mee...
SYS-CON Events announced today that Column Technologies, a global technology solutions company, will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Established in 1998, Column Technologies is a leader in application performance and infrastructure management for commercial and federal markets. The company is headquartered in the United States, with a diverse and talented team of more than 350 employees around th...
Public Cloud IaaS started it's life in the developer and startup communities and has grown rapidly to a $20B+ industry, but it still pales in comparison to how much is spent worldwide on IT: $3.6 trillion. In fact, there are 8.6 million data centers worldwide, the reality is many small and medium sized business have server closets and colocation footprints filled with servers and storage gear. While on-premise environment virtualization may have peaked at 75%, the Public Cloud has lagged in ado...
The 5th International DevOps Summit, co-located with 17th International Cloud Expo – being held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the...
Dave will share his insights on how Internet of Things for Enterprises are transforming and making more productive and efficient operations and maintenance (O&M) procedures in the cleantech industry and beyond. Speaker Bio: Dave Landa is chief operating officer of Cybozu Corp (kintone US). Based in the San Francisco Bay Area, Dave has been on the forefront of the Cloud revolution driving strategic business development on the executive teams of multiple leading Software as a Services (SaaS) ap...
79% of new products miss their launch date. That was the conclusion of a CGT/Sopheon Survey in which the impact of such market misses were also explored. What it didn't dig into was the reason why so many products and projects miss their launch date. When we start digging into the details with respect to applications, we can find at least one causal factor in the delivery process, specifically that portion which focuses on the actual move into production, from which consumers (internal and...
Microsoft is releasing in the near future Azure Service Fabric as a preview beta. Azure Service Fabric is built to run microservices - a complex application consisting of smaller, interlocked components that enables updating components without disrupting service. Microsoft has used this over the past few years internally for many of its own applications and the new release is for general use, a new product. OSIsoft is an early adopter of this system and run with it to expand into the explo...
ProfitBricks, the provider of painless cloud infrastructure IaaS, today released its SDK for Ruby, written against the company's new RESTful API. The new SDK joins ProfitBricks' previously announced support for the popular multi-cloud open-source Fog project. This new Ruby SDK, which exposes advanced functionality to take advantage of ProfitBricks' simplicity and productivity, aligns with ProfitBricks' mission to provide a painless way to automate infrastructure in the cloud. Ruby is a genera...
This digest provides an overview of good resources that are well worth reading. We’ll be updating this page as new content becomes available, so I suggest you bookmark it. Also, expect more digests to come on different topics that make all of our IT-hearts go boom!
One of the most frequently requested Rancher features, load balancers are used to distribute traffic between docker containers. Now Rancher users can configure, update and scale up an integrated load balancing service to meet their application needs, using either Rancher's UI or API. To implement our load balancing functionality we decided to use HAproxy, which is deployed as a contianer, and managed by the Rancher orchestration functionality. With Rancher's Load Balancing capability, users ...
Modern Systems announced completion of a successful project with its new Rapid Program Modernization (eavRPMa"c) software. The eavRPMa"c technology architecturally transforms legacy applications, enabling faster feature development and reducing time-to-market for critical software updates. Working with Modern Systems, the University of California at Santa Barbara (UCSB) leveraged eavRPMa"c to transform its Student Information System from Software AG's Natural syntax to a modern application lev...
ProfitBricks has launched its new DevOps Central and REST API, along with support for three multi-cloud libraries and a Python SDK. This, combined with its already existing SOAP API and its new RESTful API, moves ProfitBricks into a position to better serve the DevOps community and provide the ability to automate cloud infrastructure in a multi-cloud world. Following this momentum, ProfitBricks has also introduced several libraries that enable developers to use their favorite language to code ...