Thursday, September 17, 2009

Top 5 best practices for firewall administrators


At the recent Defcon 17 conference in Las Vegas, Tufin Technologies conducted a survey among 79 hackers, asking about their hacking habits. According to the survey results, the hacking business is just coming off its summer break and gearing up for the busy Christmas holiday season, so you'd better get ready.
Among the findings of the survey:
* Eighty one percent of the respondents are more active during the winter holidays than other times of the year.
* More than half of the respondents say Christmastime is the best time to engage in corporate hacking, and 25% specifically identify New Year's Eve as a great night for hacking.
"Christmas and New Year holidays are popular with hackers targeting western countries," according to Michael Hamelin, chief security architect for Tufin. "Hackers know this is when people relax and let their hair down, and many organizations run on a skeleton staff over the holiday period."
Although hackers don't mind working holidays, they seem to prefer having weekends off. The survey revealed that 52% of the respondents tend to work on weekday evenings, but just 15% do their dirty work on weekends.
You can't say that hackers lack confidence in their abilities. Ninety-six percent of the respondents say it doesn't matter how many millions of dollars a company spends on its IT security systems; it's all a waste of time and money if the IT security administrators fail to configure and watch over their firewalls. Eighty-six percent of respondents felt they could successfully hack into a network via the firewall; a quarter believed they could do so within minutes, and 14% within a few hours. Sixteen percent wouldn't hack into a firewall even if they could.
Are your firewalls vulnerable? Hamelin offers his best practices tips for reducing the risk of a hacking incident hitting your organization.
Document all firewall rule changes.
While this tip sounds like a no-brainier, firewalls do not have a change management process built into them, so documenting changes has never become a best (or even a standard) practice for many organizations. If a firewall administrator makes a change because of an emergency or some other form of business disruption, chances are he is under the gun to make it happen as quickly as possible, and process goes out the window. But what if this change cancels out a prior policy change, resulting in downtime? This is a fairly common occurrence.
Firewall management products provide a central dashboard that provides full visibility into all firewall rule bases, so all members of the team have a common view and can see who made what change, when they made it and from where. This makes troubleshooting and overall policy management much easier and more efficient.
Install all access rules with minimal access rights.
Another common security issue is overly permissive rules. A firewall rule is made up of three fields: source (IP address), destination (network/subnet) and service (application or other destination). In order to ensure there are enough open ports for everyone to access the systems they need, common practice has been to assign a wide range of objects in one or more of those fields. When you allow a wide range of IP addresses to access a large group's networks for the sake of business continuity, these rules become overly permissive, and as a result, insecure. A rule where the service field is 'ANY' opens up 65,535 TCP ports. Did the firewall administrator really mean to open up 65,535 attack vectors for hackers?
Verify every firewall change against compliance policies and change requests.
In firewall operations, daily life centers around finding problems, fixing problems and installing new systems. In the cycle of installing new firewall rules to solve problems and enable new products and business units, we often forget that the firewall is also the physical implementation of the corporate security policy. Every rule should be reviewed to understand that it meets the spirit and intent of the security policy and any compliance policies, not just the letter of the law.
Remove unused rules from the firewall rule bases when services are decommissioned.
"Rule bloat" is a very common occurrence with firewalls because most operations teams have no process for deleting rules. Business units are great at letting you know they need new rules, but they never let the firewall team know they no longer need a service. Getting into the loop on server and network decommissioning as well as application upgrade cycles is a good start for understanding when rules need to come out. Running reports on unused rules is another step. Hackers like the fact that firewall teams never remove rules. In fact, this is how many compromises occur.
Perform a complete firewall review at least twice per year.
If you are a merchant with significant credit card activity, then this one is not just a best practice but a requirement; PCI requirement 1.1.6 calls for reviews at least every six months.
Firewall reviews also are a critical part of the maintenance of your firewall rule base. Your networks and services are not static so your firewall rule base should not be either. As corporate policies evolve and compliance standards change, you need to review how you are enforcing traffic on the firewalls. This is a good place to clean up all those redundant rules that have been replaced by new rules, rules for services no longer used that you were not informed about, and all those temporary exceptions that were added to get projects, acquisitions, mergers and so on finished. The best way to keep bad things from happening is to not create an environment where they can.

No comments:

Post a Comment