The Dangers of Firewall Misconfigurations and How to Avoid Them

Network firewalls are not easy to update. Keeping rules up to date when environments and applications are dynamic and complex is almost impossible.

Because of this challenge, firewall policy is often behind the current status of your applications and data. This means you are increasing risk in your data center until you manage to manually set the rules. Moreover, those rules may well become obsolete again almost immediately, so you can never truly stem the issue of growing risk.

At the same time, companies have to deal with compliance mandates and governance, which are just as strict on the cloud environments as on-premises environments. While the increased agility of a hybrid cloud ecosystem is helpful for streamlining business processes, the speed of change has caused many organizations to fall badly short of compliance requirements.

It’s especially difficult to get full visibility into hybrid cloud environments – and without visibility, you can easily fall prey to blind spots resulting from misconfigurations. Take the Capital One breach, for example, where hackers could exfiltrate “data through a ‘misconfiguration’ of a firewall on a web application. That allowed the hacker to communicate with the server where Capital One was storing its information and, eventually, obtain customer files.” The result was the loss of the personal data of more than 100 million people, including tens of millions of credit card applications.

Wondering what some of the most common firewall misconfigurations are? Here are the ones that we see time and again:

• EC2 instances: Configuring security groups incorrectly can lead to unnecessary risk. AWS itself reports that “Among the most egregious were AWS Security Groups configured to leave SSH wide open to the Internet in 73 percent of the companies analysed.” Any approach that relies on IP addresses that constantly change is going to be error-prone.
• VPC access: Of course, your business doesn’t want anyone on the internet to be able to access your VPCs. That said, this is a common mistake. Many businesses use ACLs to manage the problem, but it can be time-consuming and leave blind spots.
• Services permissions: It often happens that unnecessary services are left running on the firewall, opening up enterprises to risk and broadening the attack surface. When devices are configured from the start with the principle of zero-trust and least privilege, this removes that risk. It also ensures that devices can only do the specific function you need them for.
• Inconsistent authentication: Enterprises often have networks that work across multiple geographies and locations, as well as different environments. Consistent authentication across these different places is a cornerstone of good firewall hygiene. If some requirements are weaker than others, the misalignment creates vulnerable areas of the enterprise that can be leveraged like an unlocked door. The result is that your business will be open to attacks.

Because of all the issues mentioned above, many businesses have decided that it’s time to look for a firewall alternative. Modern organizations need a security solution that is faster, easier to manage, less error-prone, and more conducive to today’s hybrid cloud and complex environments. That’s where a software-defined microsegmentation solution like Guardicore Centra comes in.

Whereas network firewalls can be a hurdle to speed and agility, software-defined segmentation is an enabler. The overlay approach to microsegmentation does not rely on IP addresses, and is therefore completely decoupled from the underlying infrastructure. This structure allows policies to follow the workload, no matter what environment you are using. Therefore, security can move at the speed of innovation – and lower costs at the same time.

This fast pace is bolstered by automation. And, of course, automation slashes the rate of manual changes and updates – and therefore misconfigurations and errors. Automation supports real-time risk mitigation, even across multi-vendor security environments.

Understanding firewall misconfigurations starts with mapping connections, because you can’t protect what you can’t see (or don’t even know exists). In addition to providing stronger, faster security, using a solution like Guardicore Centra enables you to gain granular insights into your communications and connections. That way you can see misconfigurations at a glance, identify unusual behavior, solve open ports or broad permissions, and tackle issues such as inconsistent authentication procedures.

Moreover, Guardicore Centra goes beyond visibility to provide the security that you need to support a Zero Trust-based framework. Specifically, Guardicore covers the main pillars of Zero Trust by securing:

• People with user-based policies.
• Endpoints through security policies and enforcing compliance using OSQuery.
• Workloads in any environment by providing policies that follow the workload and are not tethered to a specific infrastructure.
• Networks and devices by securing device access to the data center.

For those of you who rely on the built-in firewall capabilities of cloud providers – hopefully by now you know that software-based segmentation does much more to secure business environments and avoid security misconfigurations than can be achieved by native cloud controls alone.

Native cloud controls are outside of the visibility and control of network security teams. Those teams need visibility in order to manage connectivity for business-critical applications or microsegmentation projects. Perhaps this is why Gartner acknowledges that, “Agent-based microsegmentation has become the standard for microsegmentation platforms.”

Once you’ve mapped out connections, you’re well placed to create consistent policies that follow the workload. You can then avoid playing continuous catchup with network firewalls that simply weren’t built for dynamic, auto-scaling environments or DevOps pipelines and agility. If, by chance, you should miss a misconfiguration, a strong microsegmentation approach enables you to isolate critical assets and data so that a potential breach can be contained and mitigated, fast.s.”

Chances are good that you already have firewall misconfigurations that are opening you up to unnecessary risk. Hybrid cloud environments have added another layer of complexity to today’s data centers, creating even more opportunities for firewall misconfigurations.

Guardicore Centra is one tool that covers any environment and provides superior security capabilities, offering the flexible, fast, and cost-effective protection today’s businesses require. Guardicore enables you to take the challenges of a hybrid data center head on, providing visibility and control where you need it the most.

Ready to find out more about how to reduce risk in your own environment? Sign up today for a free personalized Risk Reduction Assessment Report to find out how much you can shrink your attack surface using Guardicore’s software-based segmentation solution.