Understanding the Challenges and Opportunities of Next-gen Firewalls

By TMCnet Special Guest
Michael Hamelin, Chief Security Architect, Tufin Technologies
  |  October 15, 2012

This article originally appeared in the October 2012 issue of INTERNET TELEPHONY.

Next-generation firewalls have come a long way in a relatively short period of time, building on the evolution of application firewalls, which have started to feature ever-more complex rule sets for standard services, such as sharing services.

The next-gen firewalls have the advantage of supporting application firewall features that rely on mandatory access control (MAC), also referred to as sand boxing, in order to protect vulnerable services.

Against this backdrop, it comes as no surprise to learn that Gartner (News - Alert) predicts that spending on the management of next-gen firewalls is expected to grow to 35 percent of total firewall spending by 2016.

A number of firewall vendors, notably CheckPoint, Cisco, Fortinet, McAfee (News - Alert) and Palo Alto Networks, have either developed or are developing their initial range of next-gen firewall offerings, with Palo Alto, seen as slightly ahead of the industry with a unified single-pass inspection engine.

This approach differs from the industry standard methodology in terms of taking a unified single-pass approach, rather than handing IP traffic flows over to a series of sub-modules.

While some observers view this move as logical, given the hybrid nature of current security threats against the corporate IT platform, most experts agree that the resultant firewall technology throws up a number of challenges, not least of all on the regulatory front.

In the U.S., for example, FISMA – the Federal Information Security Management Act of 2002 –recognizes the importance that IT security represents to economic and national security interests, and requires each federal agency to develop, document, and implement its own program to provide IT security to all aspects of their operations. It is worthy of note that FISMA mandates agency program officials, chief information officers, and inspectors general to conduct annual reviews of the agency's information security program and report the results to Office of Management and Budget.

Put simply, FISMA mandates a stringent burden of annual security reviews, and by implication security plus governance audits, on public sector IT security professionals in the U.S. And the act is very specific in what it requires.

Meeting those needs is no mean feat because, even as far back as 2005, there were problems meeting these requirements. A 2005 report from Intelligent Decisions flagged the fact that U.S. federal CISOs saw increasing software quality assurance as the number-one area on which the private sector needed to focus, and pointed directly at ongoing issues surrounding the quality of software.

Among other areas, the study highlighted the issues surrounding network compromise, patch management, and FISMA compliance as major concerns that keep federal CISOs awake at night.

In what many now view as a prescient report, the 2005 study highlighted unauthorized wireless access points, preventing unauthorized wireless deployments, and rogue Wi-Fi devices as being among the major wireless network security concerns.

And it's not just FISMA compliance that causes potential headaches for IT security professionals. The rising tide of compliance required by the Payment Cards Industry Data Security Standard – version 3.0 of which is expected to be announced later this year, imposed on organizations that process card transactions from clients – is increasingly being viewed with concern. The PCI (News - Alert) DSS standards were developed by the major credit card companies as a guideline to help businesses that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats.

Retailers wishing to continue accepting cards, and who are notified they are within the scope of PCI DSS, must validate their compliance on an annual basis. The validation is normally conducted by auditors – registered PCI DSS Qualified Security Assessors – although smaller firms have the option of using a self-certification questionnaire.

While the PCI DSS governance rules are great as a basic audit benchmark for retailers, the real problem facing retailers is their failure to invest in IT security.

If we go back 15 years or so, experts were advising firms to spend between 6 and 8 percent of their total IT budget on security. In fact, it turned out that most firms only invested around 2 percent of their budgets on this, and the industry is now reaping the results of this IT security under funding.

While PCI DSS clearly has its place in the overall security picture, it is my belief that effective governance and compliance comes down to taking a holistic view of your security needs, and too many companies fail to do this. What many firms overlook is the fact that installing extra security can also reap benefits in areas other than simply preventing fraud.

It can also improve overall business efficiency, which is positive for every company.

Delving into the complexities of the PCI DSS v2.0 standard reveals a number of control objectives, and detailed in the 12 main category requirements is the requirement to install and maintain a firewall configuration to protect cardholder data – as well as encrypting the transmission of cardholder data across open, public networks such as the Internet.

The audit and governance functions are covered – in part – by the need to regularly monitor and test networks, as well as to track and monitor all access to network resources and cardholder data, rounded off by the need to regularly test security systems and processes.

So far, so good on the governance front, but there is a school of security thought that an annual audit may no longer be enough to fully meet the provisions of PCI DSS v2.0 – and with v3.0 of the governance standard bearing down on us at high speed, there is an increasing awareness of the need for continuous security audits.

These audits, by implication, must be carried out using an automated platform, since any manual audit can only represent the state of a system's IT security at a given point in time.

An automated security audit and governance function – working quietly in the background – is not only good for compliance and defence purposes, but it also prevents the audit function from interfering in the efficiency of the organization's core business.

The danger with this strategy is that the regulations start to impede the day-to-day efficiency of the business.

My belief is that policies should be both detailed and easy to understand – and should also balance enforcement against productivity. If a security policy starts to impede productivity, then it is, by all conventional definitions, not a good policy, especially if it is misinterpreted by employees.

A classic case of this is the Data Protection Act in the U.K. How many times are U.K. consumers told (incorrectly) that a certain request they have made cannot be completed because of the provisions of the act? In some cases the act's legal restrictions are understandable, but in many instances there is a clear misinterpretation of the provisions of the legislation, leading to employee actions that at best reduce their efficiency and the level of service they offer to customers.

When it comes to IT security, there’s a danger that people tend to “over-tech” most interactions with computers, resulting in the technology usage being more detailed than it actually needs to be. An example of this is where IT security professionals will often refer to a computer audit, rather than a computer-assisted audit, which is the correct term for automated IT audit functions.

Tapping the power of an effective security audit technology that supports a rage of both automated and pre-defined reports means that IT security professionals can get on with the task of efficiently managing the security of the IT systems in the background, but without impeding the efficiency of their colleagues elsewhere in the business.

This is particularly important when it comes to the generation and the use of “what-if” reports that automated firewall management technology thrives on, as they can then be used to develop effective risk analysis programs.

Edited by Braden Becker