« Back to article | Print this article |
Firewall analysis helps you understand how your firewalls have been programmed. This task, which is too complex for manual execution, helps you detect accidental exposures caused by poor programming of these devices. Learn how your critical assets and access to these assets can be secured by ensuring that your firewalls have the right security policy in them, writes Vijaya Raghavan.
If you are a chief information officer, or someone responsible for your company's network, ask yourself this question now.
"Can I tell exactly how my critical and high value hosts and applications are protected? That is, can I describe the full extent of allowed access to these hosts and all the services and all the network resources that can connect to these hosts?"
An associated question is: "If any of my critical hosts are compromised, what else becomes vulnerable on my network?"
If you are like the majority of CIOs and systems managers across the world, the chances are that you have a written policy that limits the services and resources that can connect to your critical business assets.
You would expect your systems administrator to adhere to this policy when implementing your network access rules. This represents your corporate security policy.
Having a written corporate policy is good, but not good enough.
Can you verify it? It is not uncommon for system administrators to drift from corporate rules when programming network devices. They have several responsibilities, are constantly stressed to deliver a variety of services to their corporate users, and being human, can make the occasional mistakes.
The crucial point is: Can you verify that your critical business assets are always protected, at least to the extent that your technology allows you to do so? Without the ability to verify, your corporate security policy states intent but cannot be enforced.
You can always test your network to determine whether accesses to your most important resources are within corporate guidelines.
But it is impractical and perhaps disruptive to constantly test your network. Testing is also not comprehensive because there are limits to available time and resources. So you will test only against a subset of the universe of possible attack vectors.
The role of the firewall
The firewall is the single most critical item of hardware or software in a network that is responsible for its security.
A firewall's configuration (or programming) determines the type of connections it will allow and those that it will not. A firewall configuration is written in a very low level language that is proprietary to the manufacturer of the firewall.
So, Cisco will have its own language and Checkpoint will have its own and their syntax will have nothing in common.
A desired corporate policy is translated into firewall rules that are programmed into the firewall. Mistakes in programming can cause the actual policy on the network to be at variance with the intended policy. This is a truly risky situation because you cannot verify what is implemented.
A firewall with many hundred rules can be very complex to understand manually. Additionally, firewalls have different default behaviors that must be taken into account to understand how they respond to the data traffic through them.
Firewall rules work together to implement security policy and hence must be analysed together, rather than individually.
Two types of situations can occur through mistakes in programming. The first is where a required business service or asset is not given access when it should be.
This situation will be discovered when someone who needs the asset or service finds it is not available. This is easily fixed although it results in a temporary disruption of service and hence is relatively harmless.
The second is a serious problem and results in a hidden security time bomb in your network. A business service or asset is accidentally exposed. You will not find users complaining because there is no disruption of service.
You will not discover the exposure until the network is thoroughly tested which may not happen. The fact that manual verification of firewalls is difficult means that it is usually not done. The exposure stays and critical business assets are put at risk.
It is well known that in 85 per cent of the companies where breaches have occurred, mistakes in firewall configurations were the root cause.
Dangerous services that are known to be used in attacks were left exposed without reason.
New breed of analytical tools
The system administrator has, until now, not had the benefit of tools to help him verify firewall configurations. That situation is, gladly, changing.
Firewall analysis is an area in which there is extensive current research and several companies have products that offer varying degrees of support to help establish confidence in implemented firewall policies.
It is certainly clear that unless you have tool support, system administrators and CIOs cannot be absolutely sure of the soundness of implemented policy.
The low level nature (and diversity) of firewall programming options and the fact that there can be thousands of rules in a firewall configuration, preclude manual verification.
A new breed of sophisticated analytical tools is now available in the market. These are products that analyze firewall configurations and determine, in detail, the complete set of network assets and services that are allowed access though the firewall. So you can use these tools to verify that firewalls have been programmed correctly.
These tools work largely off-line and can be run as many times as there are firewall programming changes.
They provide detailed reports on assets that can be accessed from various sub-networks within the corporate and from the Internet.
Running these tools does not disrupt the network since they do not intercept traffic or inject extraneous data packets into the network.
Analytical tools are comprehensive because they evaluate the entire spectrum of possible network access vectors.
So you will know all the services and all the assets that are exposed in violation of your corporate policy, with a single run of the tool.
Tools of this kind simplify management of network security because the complex manual task of verifying firewall programming is automated and can be repeated at any frequency that is desired. You can use these tools pro-actively, to audit your network on a continuous basis.
Security policy can now be defined and enforced because it can be verified as often as required.
Security Officers should take cognizance of this new breed of tools if they want to ensure that their networks stay secure.
The old faithful firewall continues to be the chief bulwark against network attacks despite the fact that today there are intrusion detection and prevention systems. The firewalls are the first line of defense and the most important one.
Heterogeneous firewalls from different manufacturers are often used at different points in the network as a form of defense-in-depth strategy.
While this is a good strategy, it makes the task of the network administrator more complex since he or she has to understand and manage devices that are complex and different from each other. This non-standardization of firewall hardware is a strength and a weakness.
It makes the task of finding network weaknesses hard for both the attacker (strength) and the network administrator (weakness).
Tools that analyse network security using software algorithms take the difficulty out of ensuring that the right policy is implemented.
Continuous auditing and compliance using these tools implies that your first line of network defense, the firewall, is continuously secure and complies with all regulations required of your corporate. You can sleep easy.