An outdated firewall is less useful than an expired insurance policy, which, if nothing else, can always be folded into a paper airplane.
A firewall that hasn't been recently checked for security gaps poses a direct threat to enterprise and customer data. That's why security experts recommend paying close attention to firewall settings and immediately addressing any newly-discovered vulnerabilities.
In an era when new cybersecurity tools arrive almost daily, network firewalls remain important security devices, observed James Holley, managing director of cybersecurity for global technology and business consulting firm EY Advisory. "They can be used to create security boundaries between the company’s internal network and the Internet," he said. The technology can also prevent leaks by establishing security zones within a network, similar to the watertight compartments inside a ship. "Because [firewalls] are a primary means of creating and enforcing network security boundaries, their operating system, application and firmware security posture should be verified no less than monthly," Holley advised, adding that enterprise threat and vulnerability management programs are often aligned with "Patch Tuesday," the day when many major software developers publish their vulnerability updates.
It's important to run vulnerability scans at least once a month, suggested Zach Renkert, a solution engineer at IT consulting firm Tech Guidance. "In addition to vulnerability scans, penetration testing should be conducted on a regular basis, especially if your industry requires compliance with [mandates such as] PCI-DSS or HIPAA," he recommended. Another best practice is alternating penetration testers. "One vendor may uncover what another missed, and this can be the difference between a secure network and an article in the news about your business being hacked," Renkert noted.
Firewall risk assessments should follow the organization’s adopted framework for risk and governance. "For example, NIST and other cybersecurity frameworks provide a method to evaluate and understand risk in quantitative and qualitative measures, which in turns helps determine a strategy to either accept, mitigate, or eliminate [risks] based on their appetite for the risk identified," said Jeff Green, vice president of engineering, network security, at cybersecurity technology provider Sophos. "[Also] ensure that all rules and policies are still relevant, and remove or disable old or duplicate firewall rules, hosts, devices or users that are no longer needed," he added.
Delegating authority is necessary to ensure that a firewall keeps pace with emerging threats. “Generally, a team should be identified to maintain the firewalls themselves, even if a separate team maintains the firewall ruleset," Holley stated. "If the internal team determines they're not able to update time-sensitive firewall operating systems, applications, and firmware quickly enough, they must ask for help."
The biggest mistake teams make when performing firewall maintenance is failing to conduct a periodic risk-based rulesets analysis. Complicated rules governing complex communications across multiple security zones can result in overly permissive firewall guidelines that create a serious security gap. "It may be easy to implement permissive rules that allow more than the necessary business logic, but the added risk is that the permissive rules enable attackers to communicate through a firewall that should otherwise stop them," Holley warned.
Time for a change
Like most technologies, firewalls have a limited lifespan. When a current firewall lacks next-generation firewall (NGFW) capabilities, such as IDS/IPS and anti-virus and web filters, and botnet protection, it's time to consider installing a replacement. "With how quickly cybersecurity threats adapt and evolve today, a standard rules-based firewall is not enough to protect a network," Renkert explained. "Malware can very easily infect workstations and hide in the network, posing as the infected user's machine and leveraging their permissions on the network for lateral movement."
Yet simply deploying an NGFW is no excuse for complacency. "Even if you have an NGFW with the latest and greatest features, as your business grows—and data consumption increases—the security capabilities of your firewall will need to be assessed," Renkert said. Close attention also needs to be paid to the NGFW's underlying infrastructure. "The advanced security services in firewalls are very computationally heavy, and your current CPUs or dedicated security processing units can only handle so much throughput," he said. "As your throughput needs grow, you will need to upgrade your hardware to ensure all your data can effectively funnel through your advanced security services."
Even when there's a simple network that's fairly static, it's important not to neglect firewall security until an incident demands attention. "If you don’t have time or expertise to manage your firewall, don’t ignore it," Green advised. "There are many IT security partners with the expertise and resources to help you."
Related Network Computing articles:
5 Benefits of Next-Generation Firewalls
How to Size Routers and Firewalls
Firewalls 101: How to Choose the Right One