Firewalls in 2020: Tension Between Complexity and Policy

Firemon’s sixth annual State of the Firewall Report  reveals a segment of IT management and security that’s feeling the impact of hybrid cloud architectures. It finds, for example, that 60% of enterprises have firewalls deployed in the cloud, but only 30% have at least 80% real-time visibility into network security risks and policy compliance. The report also reveals the scale of the workload, with 30% of respondents tasked with managing more than 100 firewalls—and more than 50% are dealing with three or more vendor solutions to enforce policies at the endpoint.

60% of enterprises have firewalls deployed in the cloud, but only 30% have at least 80% real-time visibility into network security risks and policy compliance.

As the report shows, firewall management is challenging, and still of very high importance for security. Ninety-five percent of respondents said that the firewall will be as critical or more critical as it is now in the next five years. The stakes are high, too, with Gartner observing that firewall misconfigurations are increasing. The analyst firm projects that 99% of all firewall breaches will be caused by firewall misconfigurations through 2023.

The implications of these numbers are serious. Some of the worst data breaches arise from firewall misconfigurations, especially in the cloud. The report cites the recent Facebook episode, where 540 million data records were discovered in a misconfigured Amazon S4 bucket in the public cloud.

Looking at these findings in aggregate, one can imagine the stress experienced by firewall admins. They underscore the risks that arise from excessive reliance on people to manage such a complex environment. Human error is a major cause of risk exposure. In Australia, for example, government data holds that 41% of data breaches are caused by human error.

The Firemon report highlights the potential for human error by stating that 72% of respondents have two or more teams involved in processing or approving a configuration change.

The Firemon report highlights the potential for human error by stating that 72% of respondents have two or more teams involved in processing or approving a configuration change. This is a recipe for misconfiguration and resulting exposure. As Tim Woods, FireMon’s VP for technology alliances, put it, “The misconfiguration of a firewall is typically the result of human error.” On the incident response side, human involvement (and error) is also problematic. Thirty-eight percent rely on text messages or phone calls for notification about configuration errors. Twelve percent said they simply don’t know at all if there is a configuration error.

“Human error is a huge problem, as the data show,” Woods added. “However, it’s even worse than it looks, because there’s a serious shortage of human beings in the field. With the rapid evolution of technology, IT staffing issues and policy complexity, a configuration error is the easiest to exploit in cyberattacks.”

“Human error is a huge problem, as the data show,” Woods added. “However, it’s even worse than it looks, because there’s a serious shortage of human beings in the field.”

To this point, the report cites findings from InfoSec Institute, which holds that the shortage of cybersecurity professionals has grown to nearly three million globally. There are almost half a million security job openings in North America. Yet, according to a report from ESG, 51% of organizations currently believe they have a “problematic shortage” of cybersecurity skills.

The issue could still even be worse, as Woods warned. “Hackers may be testing even more creative means to access networks,” he said. “By physically soldering spy chips into boards and acting as ‘fake’ administrators, cybercriminals could cause misconfigurations to infiltrate systems.” The implanted spychip risk may seem overblown, but the potential for malicious behavior is more deeply rooted than many people may think.

It’s one thing for a hacker to somehow gain physical access to a facility and solder chips onto equipment that’s in production. However, the manufacturer could also install malicious hardware at the factory. For instance, as Bloomberg reported last year, Chinese hackers were accused of installing a tiny chip on Supermicro motherboards in servers used by major tech companies such as Apple and Amazon. This risk was identified by Monta Elkins, a cyber security researcher at FoxGuard. He recently warned that bad actors can plant tiny malicious chips in popular hardware products to create a hard-change on a firewall’s configuration. This would allow remote access and disable security without IT admins noticing.

Bad actors can plant tiny malicious chips in popular hardware products to create a hard-change on a firewall’s configuration. This would allow remote access and disable security without IT admins noticing.

Woods is also concerned about this risk, though he noted, “While an attack of this nature is highly unlikely as physical security access is typically well-observed, businesses can take a few steps to protect themselves.” These include:

• Physically securing and containing the equipment in wire cages or with other barriers at co-location data centers.
• Taking further steps if the hacker is a trusted entity and has physical access to the equipment, e.g. only granting access through multiple security credentials. This might take the form of requiring a VPN to connect to the organization’s network and having separate credentials for distinct administrative tasks.
• Automatically disabling serial access ports lights out management (LOM) is not being utilized in the cloud.

Firewall management will continue to be a significant front in the defense of digital assets. With a deficit of human talent available, the appeal of automation grows accordingly. Adding automated firewall administration is probably a wise move at this point. The threats and people shortage aren’t likely to improve any time soon.

Photo Credit: fotografiacnj2 Flickr via Compfight cc