Could it be that application management and security are converging? How many times have you tried to use an application that can’t get through the firewall? If these two fields are merging, will it fall largely on the firewall or the application team?
“The firewall guys spend most of their time enabling application connectivity.”
Reuven Harrison, CTO and Co-Founder of Tufin
“Firewall administrators don’t do a lot of security. They do a lot of application connectivity.”
Reuven said that when it comes to the amount of configuration updates to the firewall “The frequency of changes is accelerating.” He went on to say that “35% of our customers have at least 50 changes a week to their firewall infrastructure and we realize that it’s being driven by applications.” Source: http://vimeo.com/66657002
Are we Compromising Security?
Could it be that we are seeing this evolution due to the company’s desire to stay agile? Whatever the reason, pressure is being put on firewall admins to enable these applications quickly. The fear is that poorly thought through configuration changes could be compromising not only security but, the company’s compliance obligations as well. What can be done?
Expediting Approval Process
To encourage a faster approval process, management may want to empower the helpdesk to assign these types of requests to the actual decision makers as firewall admins can sometimes get caught in a political firestorm. No one wants to hold back the businesses ability to stay competitive but, they also don’t want to fall victim to the next news headline for being hacked.
Grant Only the Application
Once the change has been approved, in order to avoid excessively open access, firewall admins sometimes talk directly with the SaaS or cloud service provider and ask them what IP addresses and ports need to be open for the application to operate. Granting broad access to entire subnets or just ranges of ports can be a bad idea. Security admins should keep the access that they grant very specific. This strategy could cause users of applications such as BitTorrent to tweak how the application reaches out to the Internet.
Monitor the Application
Following the enablement, admins should monitor the applications traffic to see if it is behaving consistently with the instructions provided by the application vendor. Monitoring applications can easily be done with NetFlow or IPFIX in one of two ways:
- In Cisco powered networks, routers can have custom NBAR applications configured.
- Some enterprise NetFlow solutions allow admins to define applications as ranges of IP addresses and ports.
Baseline Application Behavior
Another tactic used in Application Management and Security routines is to baseline application behavior. How are the application traffic levels over time? What ports does it normally use and how many flows are generally involved during certain times of the day. Once a baseline has been established, some NetFlow and IPFIX solutions will automatically set thresholds. When breached, events are triggered which can lead to notification. These events can help security and application administrators stay aware of how applications behave over time in order to make more precise tweaks that optimize security settings.
Do you want to learn more about how NetFlow and IPFIX can improve your security posture? Download a copy of our white paper “Flow-based Approaches in Network Management”.