Going global: food for thought when managing firewalls across international networks

Globalization is the new normal for most organization today, but it can present some significant challenges – not least when it comes to managing the firewall estate across these large-scale, distributed networks.

A typical, multinational corporation, headquartered in the US has offices and datacenters in dozens of countries around the globe. Let’s assume the organization takes a proactive, structured and logical approach to cybersecurity, and therefore protects each datacenter with firewalls.  Yet all of these firewalls also have to work together cohesively, allowing network traffic to move securely between the international networks and datacenters. How do you manage this?

A matter of time

We blog a great deal about firewall configuration and in particular the change control process – that is, updating firewall rules when application network connectivity is updated or changed.  This post, for example, looks at how to make network security change processes as easy as ordering a burger in your favorite fast food restaurant.

However, in global networks, with applications in different countries that need to communicate and share information, this gets a little more complicated.  Imagine one common scenario – you’ve deployed a new application across your global network, so you need to implement firewall policy changes in multiple countries.  While the policy change in itself is easy enough to make, the question becomes – when exactly should you make it?

For many large organizations, policy changes are limited to specific change control windows, in order to mitigate the risk of operational downtime for core applications, or configuration mistakes.  Firewall policy changes therefore usually take place overnight, or at the weekend – out of high risk hours, essentially.  But in a global organization, operating across multiple time zones, those high risk hours are different from country to country.  What’s more, high traffic periods in the calendar vary too – the run-up to the Christmas holidays will be critical to a retailer in Western Europe and the US, while Chinese New Year will impact on retailers in Asia.

So you have a choice. You can set a single universal change control window according to when is convenient for the most important environment in your network, and hope that the other environments will manage.  This is quicker but riskier.  Alternatively, you can set different change control windows in different countries, and somehow coordinate a staggered firewall change process.  This is unlikely to cause security problems part-way through the process, as legitimate traffic will most likely continue to be blocked somewhere along its path until the change has been fully implemented – but clearly this could be a significant operational issue, blocking different sites from communicating with each other.  This demands careful coordination between an organization’s IT and application teams.

Ultimately, there is no simple answer to this challenge. You need weigh up the risks and benefits of the two approaches, and choose the most appropriate path for your organization.

Staying within the law

Another aspect of running multiple datacenters in multiple countries is the question of multiple jurisdictions. Different nations have different laws governing the movement of information; Switzerland, for example, rules that Swiss banking information must remain inside Switzerland, while the Australian government does not allow government or federal information to leave the country.

These laws have significant technical implications for how international enterprises organize their datacenters, whether on premise or in the cloud. Information must be segmented, siloed and protected with firewalls according to local jurisdictions, and the IT team will normally be required to manage this. Technically all the necessary segmentation can be achieved remotely or even outsourced to a service provider, but it still carries a significant organizational burden – especially for organizations migrating to cloud infrastructures, as they may be nervous about the legislative compliance implications.

As a related side comment, last week I blogged about the vulnerability of the SWIFT wire transfer network, and one of the points discussed was the issue of jurisdiction and law enforcement as it relates to the recent Bangladesh Bank heist. If indeed the Bangladesh Bank decides to press charges, which police force do they go to?  Can INTERPOL help?  Even if they manage to identify the criminals, who is going to arrest them, or request extradition?

There are, as yet, no easy answers to these issues. Ultimately you need to take responsibility for understanding all of the data protection laws and regulations that apply in every country where you store and transmit data – and you need to translate compliance with those regulations into proper technical, legal and compliance related actions for your IT security strategy and business.

Who else is connected?

The picture gets more complex when you have to grant external organizations connectivity to your network as well. We ran a webinar on this topic last year, which contains a lot of useful advice summarized in this blog.  The key points are a) it’s important to implement careful network segmentation in order to minimize the risk of connecting external parties to your infrastructure, b) remember that once a partner is connected, they become part of your regulatory compliance posture, and c) network maintenance can become even more complex. Make sure that you have a contract in place to cover all technical and business aspects of the external connection.

In conclusion, when managing global network infrastructures, it is more important than ever to have full, real-time visibility and control of exactly how your firewalls are controlling network traffic, both to maximize security and compliance, and minimize downtime.