NC1811
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
OPINION<br />
FIREWALL<br />
GRANULARITY<br />
IN-DEPTH FIREWALL DEFENCE<br />
IS BEING USURPED. LINDSAY<br />
BRECHLER, PRODUCT MANAGER<br />
AT FIREMON, GIVES AN INSIGHT<br />
INTO HOW TO DESIGN, TEST<br />
AND MANAGE FIREWALLS FOR<br />
THE CLOUD ERA<br />
The corporate firewall is more critical now<br />
than it's ever been, and this is confirmed<br />
in our latest (2018) State of the Firewall<br />
Report. The majority of respondents believe<br />
that the firewall is still an important part of their<br />
overall security architecture, with 94 per cent<br />
saying that firewalls are as critical as always or<br />
more critical than ever.<br />
But the way in which businesses are defining<br />
firewalls is changing. We're seeing a continued<br />
trend towards smaller, host-based firewalls that<br />
support micro-segmentation and zero-trust<br />
strategies. This it seems is because businesses<br />
now think less about centralised firewalls and<br />
more about cloud.<br />
DESIGNING A FIREWALL DEFENCE<br />
Sadly there is no one-size fits all solution, so<br />
some effort is required. The old approach<br />
was defence in-depth, that is, build as many<br />
firewalls as possible. Now, best practice is to<br />
implement zone-based networks which<br />
create defined network zones covering a<br />
number of different endpoints, based on the<br />
data that those networks carry. When<br />
defining zones it's important to think beyond<br />
geography, as permission and data<br />
protection may have more impact on what<br />
defines a zone than a location.<br />
Over the next several years, zone-based<br />
architectures will be the predominant strategy<br />
used to build firewall defence. Eventually, this<br />
will create fine-grained control using zero-trust<br />
and micro-segmentation architectures that<br />
establish enforcement near to a host, endpoint<br />
or server. In the meantime, zone-based<br />
approaches are also trying to bridge the gap<br />
to offer more fine-grained control based on<br />
broad data protection categories.<br />
FIREWALL TESTING<br />
If a firewall isn't managed or tested properly<br />
then a false and dangerous sense of security is<br />
created. We know that when firewalls are<br />
involved in breaches it's generally because of<br />
exploitation of weaknesses within the<br />
configured policy, and not hacking of the<br />
firewall itself.<br />
With regard to testing, this hard and fast<br />
testing rule - make sure that you're testing<br />
against the most current policy configuration -<br />
sounds very obvious: testing an outdated<br />
configuration is pointless. In some<br />
organisations firewalls are updated hourly, so<br />
the first step in testing is to have real-time<br />
visibility into these updates, so that you can be<br />
certain to identify the most recent<br />
configuration to test.<br />
Following that, the network operations team<br />
needs to run relevant compliance checks<br />
against industry-standards, corporate policies<br />
and other best practices. For example, ensure<br />
that practices are in place to prohibit<br />
unencrypted protocols being sent to the web.<br />
In general, it is best to automate firewall<br />
testing as much as possible. By doing so you<br />
will know as soon as anything is misconfigured<br />
and be able to deal with it promptly.<br />
FIREWALL MANAGEMENT<br />
It's critical to have a well-defined process in<br />
place within the network operations team that<br />
is used each time firewall changes are made. It<br />
should include an analysis of whether a new<br />
rule is necessary, for example, by identifying<br />
whether access is already configured. Then,<br />
network operations must run a compliance<br />
check before the rule is added.<br />
Processes like these can uncover<br />
inconsistencies. When you determine there are<br />
things to remediate, order them by severity, for<br />
example, clean up anything overly permissive<br />
(on too many services with too much access)<br />
before you remove an unused rule.<br />
FIREWALL FUTURE<br />
As organisations move more computing to the<br />
cloud, a shift in mindset is needed to manage<br />
security intent as a means to manage cloud<br />
scale. It won't be possible, with the dynamic<br />
and scaled nature of cloud, to manage the<br />
point-to-point address implementation<br />
manually (which is what has happened<br />
historically), as these networks grow.<br />
We're now at a transition point. Zone-based<br />
approaches are becoming the new normal,<br />
with zero-trust and micro-segmentation not<br />
far behind. NC<br />
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards NOVEMBER/DECEMBER 2018 NETWORKcomputing 21