Gartner estimates that 65% of all successful cyberattacks exploit misconfigured systems. With hundreds or even thousands of rules installed on most enterprise firewalls there is a serious risk that vulnerabilities are being masked behind the complexity of the firewall rule base. Obsolete, overlapping, or misconfigured rules are often exploited to give attackers access to sensitive data.
In my experience this situation occurs because over worked and under staffed administrators are under pressure to fulfill business requests quickly, consequently, the focus is on speed of implementation, rather than on optimizing the configuration. The requirement to “get it done” often means that administrators err on the side of granting too much access rather than writing complex and tightly restrictive rules. It also means that old rules, which were rendered obsolete by the new rules, are often neglected because it is very time consuming to figure out which rules to delete.
Now, extrapolate this to distributed enterprises, with scores or hundreds of firewalls, administered by many business units, often following different policies that may have been written before the units’ acquisitions and you have a prescription for disaster.
Case in point: Take a few minutes to view David Strom’s video where he shows how tedious it is to setup firewall rules to protect a web server from attacks. He illustrates his point with a Cisco Adaptive Security Appliance ASA 5500. He has to create four (multi-step) rule sets to get this to work: An access rule, a NAT rule, a signature policy rule, and a server policy rule. That’s a lot to keep track of. Next he tries to add IPS and AV protections. Cisco requires (extra cost) add on modules for AV and intrusion prevention but the 5500 series ASA only has room for one physical module. Consequently, he is forced to choose one (or buy a second appliance) so he chooses the anti-virus module. But since Cisco OEM’s its AV module from Trend Micro, and it isn’t integrated, he has to configure more rules on a separate series of screens. It is no wonder that firewall rules are bloated!
Clearly, something has to be done to reduce the number and complexity of firewall rules. And that is where McAfee Firewall Enterprise distinguishes itself from the competition. As David Strom clearly showed in his video, all McAfee firewall rules are created within a single screen that presents an intuitive graphical user interface.
For example, let’s look at this simple request: “Allow marketing to have access to Yahoo IM but not to Yahoo file sharing.” To create this rule you click on the “group” marketing and the “application” Yahoo IM. Then, you check the box “Don’t allow file sharing.” That’s it! There is no need to use the arcane language of our competitors’ firewalls: ports, protocols and IP addresses.
Our firewall rules are created in the language of business. Furthermore, all “external” protections (e.g., IPS, AV, URL filtering, Geo-locations, trusted source) are all on the same screen. And they are all tightly integrated and included for free. No other vendor can make this claim and it puts McAfee a quantum leap ahead of the competition. More importantly, it makes our firewall more secure.
With fewer rules and a single screen it is easy for even the most inexperienced firewall administrator to make sense of his environment. And that gives peace of mind. See for yourself.