Network firewalls are one of the mainstay security controls that organizations rely on to protect their networks. These sentinels stand guard at the network perimeter and screen the packets entering and leaving organizations for violations of carefully crafted security policies.
Unlike a human sentinel, network firewalls can’t make judgments. They can act only upon a carefully designed set of rules, crafted by people to instruct the firewall on how to react in any given set of circumstances.
The rules that firewalls rely on are quite complex, which means they are vulnerable to human error and require periodic maintenance. Failure to detect errors or maintain firewall rulebases can degrade firewall performance and create significant security vulnerabilities that allow unintended access to sensitive information. In addition to managing firewall rules, administrators should pay careful attention to firewall logs.
One of the most important administrative tasks that firewall administrators should perform is monitoring the rulebase for unintended errors. Some of these are simply typographic errors while others may result from changing business requirements that are not reflected in corresponding updates to firewall rules.
There are three common errors to watch for when performing a review of firewall rules:
Orphaned rules: Rules that once allowed access to resources in support of business requirements, but which have become unnecessary because of a change in requirements or technical implementation, are known as orphaned rules.
For example, when a system is decommissioned from a data center and the corresponding rules are not removed from the rulebase, those rules become orphaned. Orphaned rules may present a security risk if the IP address associated with an orphaned rule is reused, granting unintended access to the target system. They also add to the complexity of a firewall rule set and degrade device performance.
Shadowed rules: These are rules that will never be executed because of improper rulebase design. Shadowed rules are a function of the top-down nature of firewall rules. When a firewall evaluates whether to permit or deny a connection, it begins at the top of the rulebase and then works its way down, comparing the connection characteristics to the rules until it finds a match.
A shadowed rule occurs when a general rule precedes a specific one. For example, if a rulebase contains a rule that says “Allow all outbound web traffic” and then later includes a second rule with lower priority that reads “Deny all outbound access to Facebook,” the second rule will never be executed. When the firewall evaluates a user request to visit Facebook, it finds the first matching rule (“Allow all outbound web traffic”) and takes action based upon that. The firewall will never encounter the rule prohibiting Facebook access.
Erroneous rules: These result from either typographical or specification errors. Because of poor design or user input error, these rules do not accurately implement desired business rules.
An example of an erroneous rule would be one that specifies an incorrect IP address for a web server hosted behind a firewall, preventing user requests from reaching their intended target.
Preventing and detecting firewall rulebase errors is an often overlooked task, but should be a regular part of any firewall maintenance program. Over time, the accumulation of errors can pose a significant risk to an organization’s network security and reduce the reliability of network service. Many organizations combat this by conducting regular firewall rule audits and managing firewall rulebases through a rigorous change management process.
The network firewall has a unique perspective on an organization’s network infrastructure. It serves as the gatekeeper to the enterprise network and has visibility into every connection crossing the network perimeter, as well as those that are blocked. The logs that the firewall creates as it manages access to the enterprise network can be an invaluable source of information to both networking and security professionals.
Before making use of firewall logs, ensure that the firewall is configured to log appropriate activity and, preferably, to transmit it to a secure log server for archiving. Start by logging all firewall activity, including permitted and blocked connections as well as administrative log entries from the firewall itself.
The accumulated log entries are a valuable reference for analyzing past network traffic. Use them to reconstruct activity in the wake of a potential security breach or to diagnose a network connectivity issue by analyzing whether traffic reached the firewall. In addition to this reactive monitoring, also consider using the firewall as a proactive monitoring tool that can alert administrators immediately if any of the following occur:
The alerting rules you design should be specific to your technical architecture and should reflect your unique operating environment.
Stateful inspection technology has been in use for over a decade now and has stood the test of time. Firewalls using this technology analyze network packets to determine whether the source and destination addresses (along with other connection characteristics) match the rules that define permitted traffic on the organization’s network.
Recent advances in firewall technology allow much more sophisticated security control. Specifically, application inspection technology allows the firewall to peer inside the content of packets to identify those with malicious intent. If you haven’t done so recently, this is an excellent time to look at the features offered by your firewall platform (including software updates) to determine if any new features have a role in your environment.
Companies depend upon their firewalls every day to keep their networks secure, but IT staff must not become complacent about the routine function firewalls play in the infrastructure. Through a combination of firewall rulebase monitoring, log analysis and feature upgrades, the firewall will continue to play an important role in protecting networks from attack for many years to come.