4 Network-Policy Configuration Errors that Must Not Happen

We recently blogged about some of the steps security teams can take to tidy up their firewall rules: removing duplicates, tightening overly permissive rules and removing redundant rules. Why not let a Network Security Policy Manager (NSPM) do that for you? You have nothing to lose but risk to the business.

The benefits of an NSPM solution don’t stop there. They also extend to identifying and addressing policy and configuration errors that creep into firewall rule sets. Let’s take a look at some of the potential errors that put your security estate at risk and how a good NSPM solution prevents them from hurting your business.

Catching undefined policy configurations
It’s really easy to configure firewalls without defined policies, allowing traffic from any source to any destination. At application-deployment time, if IT is still unsure of the application’s precise requirements, they naturally opt to start with broad rules. The application will run and IT can amend the rules in the future as requirements become clearer. In practice, that perfect future doesn’t arrive; firewall managers are busy people. They have no time to address a security issue that might not arise. After all, the application is working. Why rock the boat? But undefined firewall policies can sink ships by leaving the network in an exposed state.

A Network Security Policy Manager will automatically catch and flag undefined firewall policies and provide insight into application usage trends. With this information, the security team can quickly address the undefined policy to provide the necessary level of security while ensuring that the application runs uninterrupted.

Lost in translation
Today, most organizations work in a mixed security environment that supports both traditional and next-generation firewalls, often obtained from a range of vendors. Managing this mix leads to mistranslation, as each generation of firewalls, not to mention each vendor’s products, use different syntax and semantics for creating and maintaining security policies.

Catastrophic translation errors can occur whenever security teams try to migrate existing firewall policies to new devices. This can lead to an application that has been working well for the last six months suddenly grinding to a screeching halt as a simple translation error between products suddenly blocks crucial traffic. Conversely, another translation error allows new, unwanted traffic that opens the door to the next cyber-attack.

A good NSPM solution automatically prevents translation errors, ensuring that policies are applied correctly and consistently across all security devices. With the NSPM, the entire estate of firewalls understands and responds properly to security requirements, ensuring that network traffic moves securely, even across on-premise and cloud infrastructures.

Poor optimization
Most firewalls apply their rules according to the order in which the rules are listed. For example, upon receiving a flow of traffic, the firewall starts at the beginning and continues through the rule list until it reaches a rule that tells it to block this traffic. If no such rule is discovered, the traffic is allowed to pass through.

While this approach works, it sure doesn’t optimize the performance of the network device nor the applications that rely on the traffic flow. Changing the order of the very same rules can radically alter the performance of the firewall. For example, elevating the rules that are referenced more often will speed up performance.

An NSPM solution automatically optimizes the firewall ruleset, ensuring that new rules are optimally implemented while consolidating and reordering existing rules. The best of these solutions directly associate network security with critical applications and processes to provide business-context visibility and intelligence, making security management actions subject to and supportive of critical processes that drive the business.

Unnecessary services
What about the situation where services remain in the firewall when they no longer need to be there? Take for example, dynamic routing, which, as a best practice, should not be enabled on security devices. Who prevents that from happening? What about DHCP servers that distribute IPs, sometimes causing IP conflicts that lead to availability problems? An NSPM solution notices these situations and prevents unnecessary services from running on the firewall, hardening devices and ensuring that configurations are compliant at deployment time and onward.

Fixing network-policy configuration errors automatically
With so many policies running on so many different generations and types of firewalls, insertion or removal of critical policies can be forgotten or lost in translation. It is practically impossible to get everything right every time. Consistent, business-driven optimization is even harder. IT and security teams would do well to acquire and rely on an advanced Network Security Policy Manager to help them keep the business running efficiently and securely.