Left unchecked, firewall proliferation and inconsistent configurations will drive firewall ownership costs steadily upward, while negatively impacting an organization's security posture.
META Trend: Consolidation of functionally related capabilities and products into multiservice security solutions will accelerate in 2005. A related outcome will be the absorption of network security controls (e.g., firewall, VPN) by network infrastructure devices such as routers and switches (2005-08). Consequently, more robust management capabilities, including role-based administration, will become a more critical requirement.
Numerous factors contribute to consideration and implementation of additional firewalls in many current enterprises. These include:
· Growing volumes of Internet traffic: Despite the bubble bursting, B2C and B2B interactions are far from dead; rather, they are steadily on the rise for most organizations. Add to this remote-user and remote-site requirements being fueled by mobility trends and WAN cost-saving initiatives respectively, and the result is continued - even dramatic - growth in terms of aggregate Internet bandwidth and the number of Internet connections being used by the average organization. The relevant implication, because each of these connections must be secured, is demand for greater firewall capacity. This translates to both more firewalls, and ones capable of handling much larger traffic volumes.
· Unacceptable latency: It is not uncommon to have Internet-destined traffic from remote offices routed via ordinary WAN connections (e.g., frame relay) to designated sites with full Internet gateways/DMZs. Typically, the intent is to save infrastructure costs. However, in some instances, particularly when remote sites are truly remote (e.g., in parts of Asia, Africa, and South America), the users in those sites can find access delays considerable. The “fix” for this situation is to establish an Internet gateway, complete with associated firewall, at the remote office itself (or at least in closer geographic proximity to it).
· Pressure to secure internal networks: Organizations with mature information security programs have long recognized that internal environments are notoriously insecure and have begun to address the situation. On the other hand, less mature organizations can trace their more recent attentiveness to this issue to mounting regulatory pressure to establish a “comprehensive security solution.” Whatever the case, the result is greater deployment of security controls (including firewalls) at more locations in the network than just the Internet boundaries.
However, the impact of these additional firewalls is not always completely positive. Capital costs are an obvious issue, with unit prices ranging from $500 for smaller, branch-office appliances, to tens of thousands of dollars for higher-capacity systems. Management implications, though, present an even greater concern. Having a greater number of instances to manage is one issue, but without proper controls in place, additional complicating factors often arise.
For example, rogue firewalls can materialize as the result of personnel at remote offices taking it upon themselves to solve their unbearable latency issues. Similarly, a semiautonomous business unit with a new application (or remote access tool) could activate it with a new, dedicated Internet connection. Before long, the organization is contending, perhaps unknowingly, with a collection of firewall products from various vendors. In addition, security is potentially jeopardized by weak configurations and/or inadequate maintenance practices.
These situations may seem a bit dramatic, but based on our customer interactions, we can confirm that they are not at all uncommon. It is with this state of affairs in mind that we recommend consideration of the following practices to stem the tide of firewall proliferation:
· Having and communicating a formal policy and associated process for requesting, evaluating, and approving new firewall implementations is an essential starting point. This may seem like an obvious step to take, but we estimate that fewer than 50% of organizations have such a mechanism in place.
· Establishing regional Internet gateways is another helpful measure. This approach, applicable primarily to global organizations, is intended to strike a reasonable balance between full centralization (i.e., having all Internet firewalls in one physical location) and full distribution (i.e., having an Internet firewall at every site). At the outset, this will typically involve having a single instance of high-availability firewall pairs/clusters in each major geography (e.g., Americas, EMEA, Asia/Asia Pacific). Based on costs, traffic volumes, and latencies, this could subsequently evolve to multiple instances of Internet gateway in each region, but ideally never more than two to three.
· In some instances, multiple separate firewall units can be consolidated into fewer, high-capacity systems. For example, this approach would deserve consideration for the reduction/simplification of a highly complex Internet DMZ, creation of a firewall farm used to protect B2B connections, or even firewalling between numerous internal user/resource segments and/or a data center. Products suitable to this role have emerged only in the past couple of years, and typically have highly customized hardware (e.g., ASICs) or a chassis/blade architecture. Embedded switching capabilities (including VLAN support), high port densities, and support for virtual firewalls are also common characteristics. Indeed, the latter capability and support for very granular role-based administration are critical elements for ensuring that consolidation does not result in unbearable levels of configuration complexity.
Clearly, it will not be possible to completely eliminate occurrences of new firewalls. Legitimate needs, along with less clear-cut cases driven by “people in positions of power,” will inevitably need to be accommodated. The key to success in these instances is maintaining consistency. Centralizing firewall management responsibilities can go a long way toward accomplishing this objective. Additional recommended practices include the following:
· Firewall products should be standardized within the enterprise, ideally limiting selection of any new units to a single vendor’s product line. Historically, the benefit in terms of security effectiveness of having two different firewall technologies/brands has not outweighed the added management complexity and costs. This is validated, at least in part, by such implementations declining from a frequency of 5%-10% approximately three to four years ago to a level of 1%-2% currently.
· Initial configurations should be governed by a configuration guideline that documents allowed-use cases, required rules, and treatment for various common and/or disallowed protocols.
· Firewall configuration changes should subsequently be governed by a formal configuration change management process. Related to this, a maintenance schedule should be established to ensure not only that new software/firmware upgrades are assessed and implemented, but also that the rule base is periodically reviewed and culled.
· Role-based administration should be aggressively implemented, thereby limiting not only who can make changes to the firewall, but also the scope of changes that any specific administrator can accomplish - which is consistent with the security principle of “least privileges.”
· Firewall logs should be reviewed regularly as a means for detecting out-of-specification configurations. Policy and configuration scanners could also be used to help detect discrepancies, unauthorized changes, and even vulnerabilities.
Bottom Line: Centralized control, consolidation, and configuration consistency are the keys to managing an organization’s firewalls.
Business Impact: Robust, proactive implementation policies and management practices can reduce the cost of ownership for firewalls, while also improving their security effectiveness.