By now, you have probably heard about the malicious code that was discovered in Juniper’s Netscreen ScreenOS. This serious vulnerability which could enable attackers to take complete control of Juniper NetScreen firewalls running the affected software made headline news, and for good reason.
Naturally, the first thing you should do is check to see if you have affected firewalls in your network and patch them. (AlgoSec Customers, check your inbox for a note that outlines how the AlgoSec Risk Profiles address this issue). Eventually the panic will subside, and the media will ultimately shift its focus to the next inevitable security flaw or breach. But you are left with a network to protect – so it’s important to understand that this incident does not put a dent in network security fundamentals.
95% of firewall breaches are STILL the result of misconfiguration, not firewall flaws.
This statistic by Gartner still rings true. It is important to understand that in order to be exploited by this vulnerability an organization had to:
Run Juniper Firewalls affected by this vulnerability
Be attacked by someone that was aware of this vulnerability and knew how to exploit it.
This is not a very large subset of the organizations out there.
Now compare this subset to the number of organizations that regularly misconfigure their firewalls (which of course can happen with every vendor’s firewall, not just Juniper firewalls). You know, that ANY/ANY rule you put in place “temporarily” to quickly fix a connectivity issue, the Telnet access you gave to your contractor and forgot to remove – do I need to go on? These vulnerabilities can be easily exploited by any hacker, not just the ultra- sophisticated ones who planted the malicious code on ScreenOS.
So the fact remains that sound security policy management is still the biggest bang for your buck when it comes to protecting your network.
One brand of firewall is STILL a best practice for most enterprises.
This is a title from a Gartner research paper dating back to 2012. Should the Juniper vulnerability bring back the old notion that using two firewall brands are more secure? The theory behind this outdated practice is that a vulnerability in one firewall brand cannot be exploited in a different brand. This is true of course - in theory. But in practice, having two different firewall platforms greatly increases the aforementioned configuration and management problems – far outweighing the theoretical benefits.
However, many companies out there are forced into a mixed environment. This can be the result of mergers and acquisition, legacy purchases or the cost and complexity of upgrading the entire firewall estate in one swoop. This is where a firewall policy management solution which can analyze multiple firewall vendors including cloud security controls in a single pane and using the same processes can make a world of a difference.
This latest flaw is yet another reminder to all of us that security requires unrelenting effort and focus. The breach or vulnerability du jour may change frequently – but security fundamentals rarely do.