Table of Contents

The Value of a Firewall Health Check

In this article, I am going to talk about the cost saving benefits of a Firewall Health Check and how it can improve your organizations security posture.

It’s the reason dogs chase cars: they’re flashy, attention-grabbing, and you have to have it. Unfortunately, the IT crowd sometimes gets that mentality with security tools – it’s a common observation among EITS’ Security Engineers and Architects that folks do this instead of looking inward at their existing infrastructure. But when it comes to security products such as firewalls, shouldn’t you have the latest and greatest? Even though it might sound like a good plan of action to invest in buying the hot product – especially when it’s the buzzword on social media and the vendor’s lips – it can be an expensive tradeoff.
There is a common notion in the security world that the only thing more expensive than paying for the security to prevent an incident is paying for the cost of cleaning up after one. Gartner reports that spending for IT security in 2019 – increased by 8.7% over 2018, versus a general IT spending hike of only 3.4%. We in the IT world expected that the trend would continue in 2020, spending up 20% from the previous year; of course, that prediction was made in the halcyon days before the coronavirus pandemic. As you may expect, spending on IT security took a dive in the last year. Instead, we saw some of that outlay shift to facilitate work-from-home Zoom licenses, VPNs, and new laptops. General IT spending outside of security is predicted to be flat or fall. And while working through a VPN doesn’t necessarily add vulnerability, if employees are on their home PCs attached to the corporate network, they can present new threats. The need to invest in security will not change, so it is critical to be strategic about where and how the money gets spent. CISOs can’t afford to treat the security budget like a kid spending their allowance because it’s burning a hole in their pocket.
It security spending from 2018 to 2020 went up 8.7% and in 2020 security spending shifted to companies purchasing VPNs, new computers, and conferencing software to support work from home needs

Why perform a security assessment?

For businesses that take a deeper look at security, it coincides with getting audited. These audits come in all shapes and sizes, such as PCI compliance for folks that process credit cards, IRS audits for government organizations that handle taxpayer data, and HIPAA compliance for anyone handling patient medical data. Of course, these kinds of audits do serve a purpose, but they tend to be long on findings and short on actionable data. Far too often, an audit ends, and the security team gets stuck with a stack of findings that they then need to review, classify, rank, and attempt to remediate – all while still performing their normal job functions. What typically happens is that either the audit gets filed away for some nebulous future remediation plan, or a single facet of the red team findings becomes the remediation focus. This one component may get resolved but at the cost of only minimally increasing the organization’s overall level of security.

The 2015 IRS breach

When the IRS was breached in 2015 to the tune of 700,000 user accounts, bogus tax returns were filed, and the “refunds” were electronically funneled into hackers’ bank accounts. The focus of the post-incident activity was placed on the unencrypted data, but access was achieved using valid credentials! The bad actors relied on compromising knowledge-based authentication (KBA) questions. Much of the personally identifiable information (PII) that could challenge the KBA questions for the accounts were easily found online. This particular attack could have been virtually eliminated with a security assessment and moving toward measures such as validating users’ access using a form of token or authenticator-based multi-factor authentication to validate both something the user knew (their username and password) and something they had at the time of access (the token or authenticator code), as well using multi-tiered lockout rules.
The 2015 IRS breach resulted in 700,000 compromised user accounts
What’s more, what was needed at the IRS and elsewhere was not another audit by a generalist but instead a deeper dive into the subject of concern by engineers that are experts on the matter. This allows such engineers – subject matter experts (SMEs) – to apply that calculated eye to the issue and help security-minded organizations make practical changes to increase their security level, ace their next audit, and increase their overall operational stability, all without needing to buy a new product.

The Importance of a Security Assessment

Performing a security assessment allows companies to see if there are improvements to their security posture without having to go out and buy new “toys.” Unfortunately, it’s a common trend I see in most of the organizations I step into, across all business types and sizes: Money was spent on procuring a best-of-breed solution, time was invested in getting it set up, and some measure of time later the changes performed have all been operational. Security is always a moving target, with standards and best practices changing frequently; organizations that do not adjust and adapt to the changes are usually left behind and leave themselves open for exploitation by adversaries. Just ask the IRS.

getting a firewall health check and a security assessment is better than spending more money on security controls

You’ve invested your money and time into your existing IT security platforms, so before replacing them, it’s best to re-evaluate how they are deployed and used to see if they are being used to their fullest potential. There are a few ways to accomplish this, of course, but for my EITS team members and me, this usually comes in the form of a security assessment and a health check of some kind. Anything that can be hardened and made compliant can then have a health check performed against it. For example, the most obvious icon of network security in our modern security environment is the firewall. The firewall is most often where you can make the most impact in the shortest amount of time by performing a health check. The exact process you would go through will vary somewhat depending on the make and model of the firewall, of course. Still, the concepts and areas to evaluate will stay the same – in the same way that a Ford Focus and a Jeep Cherokee are different vehicles produced by two unrelated companies and yet can be mechanically serviced in much the same way.

What does Firewall Health Check evaluate and what do we do with the findings?

So, we have our firewall that we will be performing a health check on. What does that really mean? Well, first, we always start by talking to the engineers who are doing the daily care and feeding to try and capture as much environmental knowledge as possible. All of us were customers at one time – senior architects and engineers – so we looked at what we would want if we were the customer. We want to know how the firewall fits into the network, how it gets used, what it physically cables to – really any background knowledge that we can get from those closest to them daily. Doing this gives us the level of detail we need to intelligently look into the configuration and saves us from tripping ourselves up when we start making recommendations for remediation. For example, a border firewall that isn’t doing any form of URL filtering of user traffic would normally be an issue we’d want to focus on; however, if we take our time to learn about the environment we are checking, we might find that the customer is using zScaler and is doing URL filtering, but not on the device we are dialed in on. It also helps us understand the potential impact of the remediation efforts we will be suggesting, which is a big part of how we close out these health checks.
With the knowledge dump completed and environmental knowledge gained, it’s time to roll up our sleeves and get into the nitty-gritty of the work: deep-diving into the firewall configurations and applying that calculated eye. To compile a full list of things here that we would want to check for would be rather exhausting and would also vary depending on the make of the firewall and where in the network it is deployed, but some things are always going to require evaluation:
Once we’ve completed the evaluation, it’s time to sit down and build our report. Once again, the goal here is to provide actionable data, not just a laundry list of findings. So, while we list everything we’ve discovered in the report, the real focus is on what we believe the priorities should be. We evaluate and create a list of the ten most important things we found in our health check and then turn around and rank them based on how critical the impact is, what the risk is, and the level of effort. This gives the security team a quick “hit list” to tackle and enables them to make an intelligent decision on which items to resolve, in which order since we don’t treat all issues the same.
For example, if we look at a High Availability pair of firewalls, a common issue we’ll find is that HA will be configured to trigger if the active firewall fails (due to something like a full power outage) but won’t be set to failover in the event it simply stops processing traffic because of a downstream issue (such as a switch failure). This is a critical issue – or will be the moment the environment goes down because the firewalls didn’t failover – but the fix is typically low on the risk level, and the level of effort might be as little as 15 minutes of configuration and testing. Compare that to enabling SSL decryption, for example, which is also a critical issue, but one that will have a high level of both risk and effort. So, the final task completed as part of the EITS health check is to work with the customer to plan out how to remediate the issues that have been uncovered. This could involve the customer having us do it for them, or it could be a matter of us simply providing guidance and acting as a sounding board for them to handle it internally.

Conclusion

Either way, the goal should always be that the end security posture will be much higher when we finish than when we started. Security assessments should be done for more than just compliance, and choosing professionals who can assess the best approach for your individual setup is important. In addition to changes implemented to improve firewall best practice adherence, we also often uncover opportunities for them to be used in new ways that will solve other problems customers were already facing and simultaneously harden their security and save even more money – all for a fraction of the price of chasing after that new, shiny tool.