The Overlooked Costs and Risks of Firewalls

Transcription

1 The Overlooked Costs and Risks of Firewalls

2 INTRODUCTION In 2016, almost 3,000,000 new firewalls were sold. Firewalls are a given component in every network. The firewall is a system deployed to protect our data and prevent unauthorized access. The latest Gartner Magic Quadrant report lists 16 vendors in the enterprise market. Many large vendors did not make Gartner s list and many, many more mid-tier vendors are selling firewalls at historic levels. As the security threats continue to grow, there is no reason to expect the number of firewalls to decrease. THE PROBLEM Deploying the firewall in its purest form means no traffic goes in or out. Once the firewall is deployed, the first thing that happens is deciding what data is allowed to pass. That balance of what to allow in and out is the ongoing battle of risk versus accessibility. One highly contested area is network and operations management. Global IT networks are managed by applications such as SolarWinds, OpenView NNMi, NeuralStar, Splunk, LogRhythm, Cisco ACS, etc. The underlying protocols of these applications are SNMP, ICMP, Syslog, Netflow, TACACS+, and many others. These protocols were never designed to be secure. They do the heavy lifting that most IT professionals and users never see. They are the tools of global network and security professionals. They are highly standardized and utilized by thousands of companies and IT professionals. This unseen battlefield has other players. We have discussed firewalls and the management applications, with their underlying, non-secure protocols. Next on the field are the humans. On one end you have security professionals (Information Assurance) tasked with keeping the castle protected. On the other side of the field is the operations team whose job is to keep everything up and running. These industry standard protocols keep security professionals up at night. Based on known vulnerabilities and best practices, many requests for valid firewall access is denied. When security says no, operations is blind to the DMZ or devices on the dark side of the firewall. Both sides have valid requirements. It is time to compromise. The Overlooked Costs and Risks of Firewalls Page 1

3 OPTIONS VPN Opening port(s) for management traffic via a VPN is better than being blind, but it has limitations and caveats. In terms of traffic flows and devices, the VPN works for small environments. In most cases it is not a cost-effective solution. VLAN/Management LAN This solution scales better than VPN, but as things get larger, the human labor to configure and deploy devices grows exponentially. This solution scales better than a VPN, but it has the same list of vulnerabilities and caveats. Firewall Rules and Ports If there is an industry winner, it is this option. To say it is a winner, is a stretch. It is an unhappy compromise between security and operations. Depending on the size of the organization and the change control process, every firewall rule or change requires 100s to 1000s of labor hours. For every port you open, you increase you attack surface. For every open port, there are rules to be documented and audited. This option is an unhappy marriage between security and operations, but it is the default choice. Fallacies (the PINK elephant in the room) For the options one and two above, there are two factors that are easily overlooked. First, the solutions are considered cheap and quick. The initial cost is cheap, but the labor for initial configuration and ongoing complexity for the down-stream devices is expensive in time and labor. Large environments require extensive labor which brings into play human error. The second assumption, that this solution is secure, is flawed. There is NO inspection or validation of data. If an attacker penetrates this solution, they have an open door to your network, as if the firewall did not exist. With a solution based on firewall rules, there are several pink elephants in the room: First is the cost (labor and time) of writing firewall rules. Depending on the change control process and business polices, a rule could take 100s to 1000s of hours from request to actual deployment. The Overlooked Costs and Risks of Firewalls Page 2

4 Once a rule is written it will require ongoing documentation, audit, and review. In most cases, once a rule is written it is never removed. Second is constrained access and the resulting incomplete view of the network. Given the burden of the change control process, security operations typically limit the devices and protocols allowed to cross the firewall boundary. Network operations is making business decisions based on incomplete data to minimize security risks. Third is the idea that more firewalls means increased security. We have already established the dominant industry solution is writing firewall rules and opening ports. Each port is another point of vulnerability. The typical firewall looks like a wire mesh gate instead of a steel door. A BETTER MOUSETRAP The Tavve ZoneRanger was originally built for one of the largest US banks to help them securely manage their DMZs (online banking, wealth management, etc.) with HP NNM and SNMP. The ZoneRanger supports all major industry protocols. The ZoneRanger is vendor independent. This independence allows our customers to choose their management applications, firewalls, and end devices from ANY vendor. The ZoneRanger solution consists of two components. The ZoneRanger is a 1U-rackmounted appliance or VMWare virtual appliance on the DMZ (dirty) side of the firewall. On the core (clean) side is the RangerGateway. The RangerGateway and ZoneRanger are connected via a single encrypted port in the firewall. All traffic in either direction is validated and inspected against the applicable RFC. During a deep packet inspection the message is verified. If this is successful, it is rebuilt into a new message before crossing the firewall boundary. The burden of firewall rules and change control are handled in the configuration of the ZoneRanger. Instead of 100s of open firewall ports, the ZoneRanger has a single encrypted port. The typical ROI for the ZoneRanger is measured in months. This is achieved by the following: Labor savings by eliminating the need for management firewall rules. Re-tasking of network and security expertise previously consumed by the change control of writing and maintaining management firewall rules. The Overlooked Costs and Risks of Firewalls Page 3

5 Significant reduction in network management traffic. Intelligent message filtering to efficiently distribute UDP (Syslog, SNMP Traps, Netflow) to an unlimited number of secure destinations. Intelligent UDP message filtering and message de-duplication to reduce the size and operating cost of storage-based management applications (SIEMs). SUMMARY The ZoneRanger will increase your overall security posture. The ZoneRanger will save you money (labor). The ZoneRanger will greatly reduce your change control efforts. The ZoneRanger will give you access to more data. The ZoneRanger will open new options on how you manage across a firewall boundary. GOVERNMENT The ZoneRanger G-Series is a special ZoneRanger built for use within the US government. In 2017, Tavve received FIPS certification for G- Series product. It supports encryption levels and ciphers that are unavailable in the commercial ZoneRanger. The G-Series also supports message rates that are twice the message rates of the standard ZoneRanger. The Department of Defense and the Intelligence Community have special requirements. One unique challenge is how to monitor a low-side network that is technically unreachable from an air-gapped network on the high side. FireCloud is a high-side/low-side extension to the ZoneRanger. FireCloud was developed in partnership with a NATO intelligence agency. For more information about Tavve, the ZoneRanger or any of our related products, contact us at or sales@tavve.com Tavve Software Company. All rights reserved. Tavve, ZoneRanger, ZoneRanger G-Series, Ranger Gateway, and FireCloud are among the trademarks or registered trademarks of the company in the United States and/or other countries. All other trademarks are property of their respective owners. The Overlooked Costs and Risks of Firewalls Page 4