5 Top Firewall-Related Compliance Gaffes

Compliance – it’s that dirty word that any free-thinking IT professional hates to hear. But like it or not, compliance is a reality of doing business today. One of the biggest problems that I see related to compliance is how it’s treated like a checkbox. Firewall? Check! Access controls? Check! Encryption? Check! And so on. In many cases, the people checking these checkboxes are completely disconnected from the actual firewall administration function and security altogether. The mode of operations is: So and so says that the firewall is secure, so we’re good to go. Not so fast – reality’s not that simple!

Regardless of how compliance is perceived and managed in your organization, there’s no doubt that it’s creating a false sense of security among decision makers. Here are five firewall security oversights and gotchas in the context of compliance that you need to be on the lookout for:

1. It’s documented in our acceptable usage policy, therefore it’s being enforced by the firewall. Reality however, shows us that we don’t know what we don’t know regarding our firewall configuration and network usage, much less have control over non-traditional endpoints such as phones, tablets, and home computers. Policy enforcement is often the weakest link in any enterprise security program.
2. Unique user IDs and passwords are enforced, therefore our firewall management processes meet separation of duty requirements. We all know how this works in reality….people are busy, time is of the essence, and changes need to be made. Accounts end up being shared and one person ends up doing it all.
3. We’re running our firewalls in a redundant configuration, therefore we meet the specific disaster recovery and/or business continuity requirements. Yes, reality teaches us that many so-called “resilient” configurations aren’t so tough when it comes to true denial of service conditions, big environmental disasters, and issues that occur in the cloud.
4. The network architecture was designed with security in mind, therefore we meet any “best practice” requirements and the auditors/regulators will love it. Reality shows us that the most seemingly secure network environments can be breached with ease today.
5. Firewall logging is enabled, therefore we can go back and review what happened if anything occurs (but we’re confident it won’t). Reality teaches us that real-time alerting, blocking, and/or response has to be a part of traditional audit logging. Waiting for bad things to happen is not a smart approach to network security management.

In many situations, internal auditors and compliance managers are looking at IT and security staff for assurance that everything is in check on the network. Conversely, IT and security staff often lean on auditors and compliance managers to fill out the compliance paperwork. Yet, when a fresh set of eyes is brought into the organization it’s pretty clear that neither party is truly communicating with one another, and there are big risks that management doesn’t even know about.

So my advice is don’t go through the motions with compliance and assume that all is well simply because the people and paperwork are in place. Minimum standards aren’t enough. Step back and take a fresh look at how compliance and, better yet, security is being managed in the context of your firewalls. I’ll bet you have gaps. Everyone does. Acknowledging the weaknesses and actually doing something about them as they crop up is what will set you apart from the people who assume all is well and end up getting bitten.

Before you go, don’t forget to take the AlgoSec survey on the State of Automation in Security Automation!