The Firewall Policy Hangover:

Alleviating Security Management Migraines

2

The Complex Maze of Network Security Policies

Challenge #1

30%

Manual,

Time-Consuming

Processes

Source: State of Network Security, AlgoSec, 2012

3

The Complex Maze of Network Security Policies

Challenge #1

30%

Manual,

Time-Consuming

Processes

Source: State of Network Security, AlgoSec, 2012

Challenge #2

22%

Lack of Visibility into

Security Policies

4

The Complex Maze of Network Security Policies

Challenge #1

30%

Manual,

Time-Consuming

Processes

Source: State of Network Security, AlgoSec, 2012

Challenge #2

22%

Lack of Visibility into

Security Policies

Challenge #3

16%

Poor Change

Management

Processes

5

The Complex Maze of Network Security Policies

Complexity Increases Misconfiguration Risk

Firewall risk survey

Risk versus complexity

42%

Small is Beautiful

Firewalls are Misconfigured

6

Source: Firewall Configuration Errors Revisited, Avishai Wool

Fast & Furious Firewall Changes… Can You Keep Up?

• 20-30% of changes are unneeded

• 5% implemented incorrectly

7

8

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

Data breach System outage Failing an audit None of the above

An Out-of-Process Change Has Lead to…

8

Source: State of Network Security, AlgoSec, 2012

More than 50% of respondents said out-of-

band changes cause a system outage

9

New Technologies Add to the Complexity

• Virtualization of the Data Center

• Next-Generation Firewalls

Why Next-Generation Firewalls?

Traditional firewalls cannot tell the

difference between different…

and

10

11

We have a centralized-

management solution and/or

process

We have to manage NGFW policies separately from

traditional firewall policies

The additional controls of NGFWs

create additional policies that must

be managed

The added policy granularity requires more info to gather

for audits

Better Security… At a Price

76% of respondents said NGFWs increase

burden of managing firewall policies

11

Source: State of Network Security, AlgoSec, 2012

Whitelisting More secure

BUT…

More work

NGFW Policy Considerations

Blacklisting Less overhead & disruption

BUT…

Less Secure

12

VS.

Whitelisting More secure

BUT…

More work

NGFW Policy Considerations

Blacklisting Less overhead & disruption

BUT…

Less Secure

13

VS. Or Both!

The AlgoSec Security Management Suite (SMS)

14

• 60% reduction in change management costs

• 80% reduction in firewall auditing costs

• Improved security posture

• Improved troubleshooting and network availability

• Improved organizational alignment and accountability

Business Impact

Best Practices

to Alleviate the

Firewall Policy

Management Migraine

16

Complex, Highly Segmented Network Environment

• Network has Evolved Over 20 Years

• Third-party domains

• Business-to-business connections

• More than 1,000 policy enforcement points

• Mergers and Acquisitions

• Aggressive consolidation

• Firewall Estate Growing in Size and Complexity

• Demonstrate firewall rules are still valid and authorized

• Ensure new rules are not allowed unless approved and authorized

• Technology landscape has shift

• Web-everything – lack of consistency

17

How Has BT Overcome these Challenges?

• Identified and Prioritized Criteria for Off-the-Shelf, Automated

Firewall Policy Management Solution

• Total Cost of Ownership

• Roadmap of features aligned to technology strategy

• Engagement - Willingness to Partner with BT

• Improved Network Security Visibility and Control

• Track down rogue connectivity or connectivity that was not understood

• Gain an immediate view of high-risk situations

• Reduce cycle-time and error rates

• Improve rule base implementation process

• Simplify audits through automatically generated compliance reports

• ‘Checks and Balances’ to demonstrate control

18

Lessons Learned and Recommendations

• Gain Control - complexity leads to weakness and cost

• Stale Process drives poor behavior

• Consider the culture of the company

• Easy to grow the rule base – much harder to shrink it

• Human error is a significant risk and cost

• Risk and compliance reporting to focus attention

• Leverage value from the toolset

• Utilize automation and control to improve security, not just cut cost

Summary

• 2012 State of Network Security – Report http://www.algosec.com/en/resources/network_security_2012

• Firewall Configuration Errors Revisited (Research by Prof. Avishai Wool) http://arxiv.org/abs/0911.1240

• Firewall Management ROI Calculator http://www.algosec.com/resources/roi_calculator/

• Evaluate the AlgoSec Security Management Suite AlgoSec.com/eval

Q&A and Additional Resources

20

Security Management. Made Smarter.

www.AlgoSec.com

Connect with AlgoSec on: