Tufin, a “Security LifeCycle Management solutions company” claim that with effective Firewall change management a business could reduce the cost of its Firewall management by 50%.
Tufin use research from Frost and Sullivan to support their claim.
Frost & Sullivan reports that “The process of implementing a change request to a firewall is a combination of many tasks that are in most cases manual, unclear and time-consuming. [Tufin] SecureChange TM Workflow automates the request process, substantially reducing the overall IT costs associated with change requests by half annually.”
What is undeniable is the need for effective change management processes and controls for Firewalls if a Firewall, or any other security solution, is to remain efficient and secure.
Firewall change management is a mandated requirement in several legislative and compliance standards, for example the Payment Card Industry Data Security Standard (PCIDSS) has a list of specific controls that should be in place and should be provable, a sample list from the standard is below:
1.1 Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete. Complete the following:
1.1.1 Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations.
1.1.2.a Verify that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks.
1.1.2.b Verify that the diagram is kept current.
1.1.3.a Verify that firewall configuration standards include requirements for a firewall at each Internet connection and between any DMZ and the internal network zone.
1.1.3.b Verify that the current network diagram is consistent with the firewall configuration standards
1.1.4 Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for logical management of network components.
1.1.5.a Verify that firewall and router configuration standards include a documented list of services, protocols and ports necessary for business—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols.
1.1.5.b Identify insecure services, protocols, and ports allowed; and verify they are necessary and that security features are documented and implemented by examining firewall and router configuration standards and settings for each service.
1.1.6.a Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months.
1.1.6.b Obtain and examine documentation to verify that the rule sets are reviewed at least every six months.
1.2 Examine firewall and router configurations to verify that connections are restricted between untrusted networks and system components in the cardholder data environment, as follows:
1.2.1.a Verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, and that the restrictions are documented.
1.2.1.b Verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement.
1.2.3 Verify that there are perimeter firewalls installed between any wireless networks and systems that store cardholder data, and that these firewalls deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.
1.3 Examine firewall and router configurations—including but not limited to the choke router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment—to determine that there is no direct access between the Internet and system components in the internal cardholder network segment
1.3.6 Verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.)
1.4.a Verify that mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), and which are used to access the organization’s network, have personal firewall software installed and active.
1.4.b Verify that the personal firewall software is configured by the organization to specific standards and is not alterable by users of mobile and/or employee-owned computers.
6.6 For public-facing web applications, ensure that either one of the following methods are in place as follows:
- Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows:
- Verify that a web-application firewall is in place in front of public-facing web applications to detect and prevent web-based attacks.
The day to day operation of a business can mean “quick changes” are made to firewalls and other security solutions and are not be recorded but could significantly impact on the businesses security level and the organisation’s ability to maintain compliance.
A spreadsheet could be an answer but configuration changes often involve several tasks, for example testing the change prior to going live. Changes across multiple devices may involve several people as security devices need highly skilled security professionals to manage them. Without an effective process or solution an organisation could be wasting the time of expensive resources and may incur unexpected and costly downtime.
To meet these challenges in a cost-effective manner, Tufin recommends that organizations need to extend IT automation into the domain of network security configuration. Automating the security change lifecycle can help companies to:
- Improve network security and uptime
- Enforce corporate governance
- Manage risk effectively and proactively
- Increase operational efficiency
- Comply with industry and regulatory standards
- Audit security infrastructure quickly and accurately
- Improve service levels
Tufin believe the key to effective security change automation solution is a combination of both workflow and security technologies. Generic ticketing and helpdesk systems can route requests to security administrators, but since they have a limited understanding of security processes and compliance policies, they cannot automate and enhance each of the stages in a configuration change, from request and design, through implementation and auditing. A comprehensive security change automation solution will work either alone, or in concert with a standard ticketing system, to provide:
- Multiple, customizable change workflows tightly coupled with security and network infrastructure, directory services and compliance policies
- Automated, proactive risk and compliance analysis as an integral part of the change process
- Configuration change advisory and automatic verification to reduce the risk of errors and shorten ticket resolution time
- Separation of duties and enforcement of IT governance
- A comprehensive audit trail with integrated reporting
- SLAtracking and high-level monitoring tools to ensure continuous improvement
The security change lifecycle represents a holistic view of an organization’s security configuration change processes.
A typical security change lifecycle could include the following stages:
Request: A business user requests a service, most commonly access to an application or network, or IT requests connectivity changes for a new or modified server or application.
Business Approval: The request is sent for approval to an IT manager to ensure that it is justified.
Technical Design: An engineer translates the request from its business context into a specific implementation plan on the affected firewalls or devices.
Risk Analysis: A security manager performs risk analysis and checks the change for compliance.
Implementation: The change is actually implemented on the network infrastructure by one or more administrators.
Verification: The user checks that his/her request has been fulfilled. At this stage, a manager can also verify that the implementation was in accordance with the approved design.
Audit: Periodically, all changes must be audited in order to demonstrate sufficient security levels and compliance with standards.
Other firewall solutions are available from companies like Firemon and many Firewall vendors have introduced their own solutions for example Check Point.
Download the Tufin White Paper here.