J Wolfgang Goerlich's thoughts on Information Security
Who Watches the Watchers? Firewall Monitoring

By wolfgang. 28 April 2015 10:01

Even in the face of being declared dead -- often and repeatedly since 2004 -- the firewall remains a viable security control. De-perimeterization simply leads to a specialization of controls between IT in the cloud and IT on the ground, with the firewall taking on new roles internally. Especially for payment processing, healthcare, and energy, the firewalled network is still a key element of today’s standards and regulations.

The trouble is, all firewalls share a weakness. It isn’t in the IP stack, firmware, or interfaces. No, the weakness is much more fundamental. All firewalls depend on proper configuration and are a single change away from a breach.

Barracuda Networks is well known for its Web Application Firewalls (WAF) which protect against attacks such as SQL injection and others listed in the OWASP Top 10. Back in 2011, however, a change process went awry and disabled Barracuda’s WAF protection for its own servers. Within hours, some tens of thousands of records were stolen via an injection vulnerability on a Barracuda website. All it took was a single misconfiguration.

FireMon Security Manager 8.0 Tools for firewall change management have sprung up to address these concerns. Centralizing the audit log for all changes on all firewalls is great for looking back, however, as Barracuda experienced, a breach can happen within hours. IT admins require real-time detection and notification on changes, which is one of the many features FireMon offers. It can model complex changes and provide a what-if analysis cross-referencing the firewalls with an organization’s policy and compliance obligations.

Firewalls will continue to be a foundational control for an organization’s internal IT. The control for the controller, the watcher for the watcher, is secure change management. This means change planning, detection, auditing, and alerting. Operationally, it also means tracking history and the ability to troubleshoot issues by comparing changes across time. For organizations running complex segmented networks, management tools like FireMon are invaluable for preventing breach by change.

Tags:

    Log in