Network Complexity – The Security Admin’s Kryptonite

Auditing and Compliance Firewall Change Management Risk Management and Vulnerabilities Security Policy Management

by Sam Erdheim Dec 18, 2012

Renowned security professional Bruce Schneier has said that “complexity is the worst enemy of security.”

In our Dangers of Network Security Complexity survey, we found that organizations continue to add more devices and adopt newer technologies, and in turn see a rise in network and security policy complexity. The impact of this complexity is significant – a Gartner research note from November 28, 2012 stated that “Through 2018, more than 95% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws.”

A firewall, or any other network device for that matter, is only as good as how it is configured and the policies that it enforces. The simple fact is that the workload of the network administrator has increased – in many organizations, audits and changes across multiple firewalls that incorporate thousands of interdependent rules have grown well beyond what any admin, short of being Superman, can manage.

In our State of Network Security 2012 survey, more than half of the respondents cited time-consuming, manual and error-prone processes (including poor change management) as the greatest challenges of managing network security devices. We’ve heard firsthand from many conversations with administrators some of the horror stories where something as simple as a mistyped IP address in the firewall rule caused serious damage – whether that be opening a security gap or causing an outage… or both.

Firewall configuration errors are all too common. Think about it – manually pouring through what could be thousands of lines of rules and having to enter or change information such as Source, Destination, Service, Application, etc. leaves a lot of risk at the fingers of an overburdened administrator. So the question becomes how can you enable the administrator to do his/her job and remove as many opportunities for error as possible?

Process improvement (another weak link discovered in our State of Network Security report) is an important step organizations should always consider. What do I mean by this? Beyond documenting a process for making security policy changes and for checking device configurations, make sure all key stakeholders have signed off on this and follow it. Ensuring there are appropriate checks and balances will reduce the opportunity for errors, which can be many if you think about all of the potential changes (adding, updating, removing policies in firewalls, IPS and other security devices).
Leveraging automation and domain expertise can also significantly reduce unnecessary risk. What do I mean by this? Automating the analysis of what’s actually going on in your network and automating the change workflow (guiding you through the request, risk analysis and design of a firewall rule change, etc.) can significantly improve accuracy in your security policy and reduce the “human error” element.

While we add more tools to manage and as business changes need, the admin has more on the plate than ever before. Let’s give the administrator a fighting chance!