Commentary – We’ve all made one in our career – I am pleased with the stupidity cost you thought you would say your job. My first big mistake was restart all campus routers pairs at once, not one by one, all at once. I had written a script to install a security update on all routers and run them all one by one …. or so I thought. Turns out, my script had an error between the router and not wait. I thought that I was fired, but fortunately I was not.
This would have a major disaster has turned out it was a great experience for all involved. We all learned something about crisis management and how it all came back to online, my boss took a few hours to teach me how to verify the network is working properly. The good news is that most of the time, our mistakes are so severe. The bad news is that often they are not immediately noticeable, which means they can stay for weeks, months or even years undetected until one day she calls either cause a failure or an auditor on them.
On the network security front, firewall management is one area where a simple mistake regarding a rule or configuration change can come back to haunt you – here are some of the most common errors:
Creating firewall groups with no meaning
A firewall administrator with a certain network-object in more than half of the rules. It was named after the famous football star. Joe_Montana “We call it whenever it needs to allow access, it has the task of IP address that was used in many of its permissive rules to this group.
The result is that the rule base OK to look like an auditor, but it’s actually a huge security issue (because there are no rules that EVERYONE is included). The rules become meaningless, and when it was identified in an audit, the cleanup of the rule base would be a thankless task for many months sorting out a set of rules that are associated with safe and appropriate needs of the company
Failing to upgrade you firewall software
A surprising amount of organizations run outdated firewall software. When asked why, it’s the same story about keeping the version fixed for stability; the firewalls cannot be taken down for upgrades, etc… The fact is, firewall vendors upgrade their software for a reason. You don’t need to be on the latest greatest release, but if you are running a version that is 15 or 20 releases ago and 7 years old, stop complaining and start upgrading!
Using the wrong technology
We all have ways in which the square peg in the round hole is suggested, but here’s one of my favorites. A network security administrator has been arguing that their auditors, because they have a firewall from their secure web server, there is a second layer of authentication, which meant they made using two-factor authentication: a password and a firewall. This guy deserves an A for creativity, but a firewall (of course) is not a two-factor authentication solution. Two-factor authentication requires your users have something, it’s something they know and what they have, a token and password for example.
The accidental outage
I heard a story of being about one such outage where the firewall administrator was working on the production firewall server gathering some data for a support case. The admin reached across the table and accidentally leaned on the mouse, which was over the Start Menu. As fate had it, the mouse activated the Start Menu and was unbelievably over the shutdown menu item when it popped up. Yep, right there in the middle of production this financial corporation watched their production firewall shutdown.
All too often you hear about firewall administrators are trying to understand what the hell to do all their rules. While we look to be busy or stressed, the time to take to create the proper documentation, we create a time bomb to blow up. Ask anyone, that in the management of firewalls, is how often it involved was: “I am afraid to make changes to my firewall now, all senior boys have left and we do not know what most of these names, or mean what These rules do not. ”
Using excessive Drop rules
Often when we are in a hurry, we create rules, with very high traffic, and must generally directly above the access that we do not want to bring down. We do this because we do not figure out how to write the correct rule. For example: “All the DMZ devices can accept all internal devices,” with a rule right above it says that the two rules look OK at first, but it really is an ugly hack, because “All fall DMZ devices Secure Network Device .
We do not write that the business must in the first rule. If we like this over time, we have a rule base with many of the rule ‘pairs’ and reorganization of the rule base or modify rule bases operate is likely expose more risk or blocking necessary traffic. Either way, we have a mess we have to rewrite some point.
Using routing as your security policy
I have many a firewall rule base where changes need to routing changes to go with her views. It is understandable if the change includes a new network in the firewall. There are two versions of this very common mistake happens all the time. The first is the firewall with no default route. Each route is the firewall by hand and the smallest network mask is possible, so traffic will not reach unintended devices if the firewall has no policy has started.
Wow, that sounds great, but it is entirely unnecessary – if the politics of modern firewalls, they sit back and remove any. This design is so difficult to manage, to fear that the whole team starts to change. Soon, every change must be an engineer to the routing, so any change takes too long and the impact of the maintenance business in a timely fashion so there is no real value added security check. The second version of this error is most common on Cisco devices, where administrators have ACLs between two interfaces that the source or target are seen ANY.
You really do not any, they mean all addresses behind this interface, but I’m too lazy to copy the address in. This leads to a rule-base that seeks only the knowledge of the routing table along with the firewall and understood the game to do in your head – even for a junior firewall admin to take this firewall complicated.
Using DNS objects in a rule base
One of the options many firewalls provide is inserting a source or destination as a DNS object like www.google.com. It sounds great because google.com can use so many IP addresses and this allows my firewall to always pass the traffic as google.com changes IP addresses. This blunder leads to many risks most organizations should consider unacceptable. First your firewall is now more susceptible to Denial of Service attacks. What happens when it can’t resolve google.com? Second your firewall is going to waste CPU, memory, and network IO on doing DNS lookups for every packet trying to decide if it might belong to google.com. Third, what happens if your DNS is poisoned and malicious addresses for the command and control of the attest botnet are returned with the google.com addresses? You now just allowed all the botnet command and control traffic though your firewall, and logged it as google.com.
Making changes in panic mode
Imagine that something goes wrong and you lose one of the RAID and replace disks.You during RAID reconstruction, service is slow – but you do not know it because of the RAID’s. At this point, have your customer service refused for 40 hours and you lose money every minute, not to customers who leave to mention for alterative services from your competitors.
They go into panic mode and start changing configurations: switches, routers, load balancers, firewalls – all that you suspect may be causing the problem.After another 24 hours a sleepless night and many hours of expensive consultants, someone figures for the actual cause of the problem. Now you want any changes on the switches, routers, load balancers, firewalls, but no one knows what they are because they were made in haste without manual reset.
To spend another 3 days to figure out how the system back until it is fully operational. I hope you do not see this in your organization. But if you do, rest assured you’re not alone. The best run organizations find such errors, others are lurking in their firewall rules. The good news is that what not rectify the automation can experience. The secret to know whether your company will benefit from the automation elements of the security of your network – or any other aspect of security, for that matter – is if the ROI is clear and easy to quantify. After all, if you can not quantify, like all security investment will impact the bottom line, as you can expect someone else?