The dangers of firewall misconfigurations – and how to avoid them

According to Gartner, “through 2023, at least 99% of cloud security failures will be the customer’s fault.” Firewall issues are one of the top reasons why this is the case.
The extreme pace of change and increasingly swift adoption of hybrid cloud has network security struggling to keep up. Many enterprises are attempting to protect themselves with network firewalls, putting themselves at increasing risk of configuration errors and policy gaps. In fact, Gartner says:

“Through 2023, 99% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws.”

What are the most common causes of firewall misconfigurations?

Network firewalls are not easy to update. Keeping rules up to date when environments and applications are dynamic and complex is almost impossible.

Because of this challenge, firewall policy is often behind the current status of your applications and data. This means you are increasing risk in your data center until you manage to manually set the rules. Moreover, those rules may well become obsolete again almost immediately, so you can never truly stem the issue of growing risk.

At the same time, companies have to deal with compliance mandates and governance, which are just as strict on the cloud environments as on-premises environments. While the increased agility of a hybrid cloud ecosystem is helpful for streamlining business processes, the speed of change has caused many organizations to fall badly short of compliance requirements.

It’s especially difficult to get full visibility into hybrid cloud environments – and without visibility, you can easily fall prey to blind spots resulting from misconfigurations. Take the Capital One breach, for example, where hackers could exfiltrate “data through a ‘misconfiguration’ of a firewall on a web application. That allowed the hacker to communicate with the server where Capital One was storing its information and, eventually, obtain customer files.” The result was the loss of the personal data of more than 100 million people, including tens of millions of credit card applications.

What are the most common firewall misconfigurations?

Wondering what some of the most common firewall misconfigurations are? Here are the ones that we see time and again:

  • EC2 instances: Configuring security groups incorrectly can lead to unnecessary risk. AWS itself reports that “Among the most egregious were AWS Security Groups configured to leave SSH wide open to the Internet in 73 percent of the companies analysed.” Any approach that relies on IP addresses that constantly change is going to be error-prone.
  • VPC access: Of course, your business doesn’t want anyone on the internet to be able to access your VPCs. That said, this is a common mistake. Many businesses use ACLs to manage the problem, but it can be time-consuming and leave blind spots.
  • Services permissions: It often happens that unnecessary services are left running on the firewall, opening up enterprises to risk and broadening the attack surface. When devices are configured from the start with the principle of zero-trust and least privilege, this removes that risk. It also ensures that devices can only do the specific function you need them for.
  • Inconsistent authentication: Enterprises often have networks that work across multiple geographies and locations, as well as different environments. Consistent authentication across these different places is a cornerstone of good firewall hygiene. If some requirements are weaker than others, the misalignment creates vulnerable areas of the enterprise that can be leveraged like an unlocked door. The result is that your business will be open to attacks.

What’s the best firewall alternative?

Because of all the issues mentioned above, many businesses have decided that it’s time to look for a firewall alternative. Modern organizations need a security solution that is faster, easier to manage, less error-prone, and more conducive to today’s hybrid cloud and complex environments. That’s where a software-defined micro-segmentation solution like Guardicore Centra comes in.

“With Guardicore, we were not only able to secure 45 applications without interruption in just 6 weeks, we also got a more agile, cost-effective, and secure solution than our legacy firewall provider.”

— David E. Stennett, Sr. Infrastructure Engineer, The HoneyBaked Ham Company

honeybaked ham

Read the full story

Whereas network firewalls can be a hurdle to speed and agility, software-defined segmentation is an enabler. The overlay approach to micro-segmentation does not rely on IP addresses, and is therefore completely decoupled from the underlying infrastructure. This structure allows policies to follow the workload, no matter what environment you are using. Therefore, security can move at the speed of innovation – and lower costs at the same time.

This fast pace is bolstered by automation. And, of course, automation slashes the rate of manual changes and updates – and therefore misconfigurations and errors. Automation supports real-time risk mitigation, even across multi-vendor security environments.

How can you gain visibility into firewall misconfigurations?

Understanding firewall misconfigurations starts with mapping connections, because you can’t protect what you can’t see (or don’t even know exists). In addition to providing stronger, faster security, using a solution like Guardicore Centra enables you to gain granular insights into your communications and connections. That way you can see misconfigurations at a glance, identify unusual behavior, solve open ports or broad permissions, and tackle issues such as inconsistent authentication procedures.

Moreover, Guardicore Centra goes beyond visibility to provide the security that you need to support a Zero Trust-based framework. Specifically, Guardicore covers the main pillars of Zero Trust by securing:

  • People with user-based policies.
  • Endpoints through security policies and enforcing compliance using OSQuery.
  • Workloads in any environment by providing policies that follow the workload and are not tethered to a specific infrastructure.
  • Networks and devices by securing device access to the data center.

Why do you need software-based segmentation vs native cloud controls?

For those of you who rely on the built-in firewall capabilities of cloud providers – hopefully by now you know that software-based segmentation does much more to secure business environments than can be achieved by native cloud controls alone.

Native cloud controls are outside of the visibility and control of network security teams. Those teams need visibility in order to manage connectivity for business-critical applications or micro-segmentation projects. Perhaps this is why Gartner acknowledges that, “Agent-based micro-segmentation has become the standard for micro-segmentation platforms.”

How do you dynamically scale security while avoiding misconfigurations?

Once you’ve mapped out connections, you’re well placed to create consistent policies that follow the workload. You can then avoid playing continuous catchup with network firewalls that simply weren’t built for dynamic, auto-scaling environments or DevOps pipelines and agility. If, by chance, you should miss a misconfiguration, a strong micro-segmentation approach enables you to isolate critical assets and data so that a potential breach can be contained and mitigated, fast.

Leave legacy firewalls behind and lower risk in your own environment

Chances are good that you already have firewall misconfigurations that are opening you up to unnecessary risk. Hybrid cloud environments have added another layer of complexity to today’s data centers, creating even more opportunities for firewall misconfigurations.

Guardicore Centra is one tool that covers any environment and provides superior security capabilities, offering the flexible, fast, and cost-effective protection today’s businesses require. Guardicore enables you to take the challenges of a hybrid data center head on, providing visibility and control where you need it the most.

Ready to find out more about how to reduce risk in your own environment? Sign up today for a free personalized Risk Reduction Assessment Report to find out how much you can shrink your attack surface using Guardicore’s software-based segmentation solution.

Attack Surface Reduction Analysis

Get a no-touch, zero-impact, personalized report that quantifies risk reduction from using software-based segmentation in your own environment

Quantify Your Risk Reduction

Guardicore New Compatibilities with Citrix® Power Enterprises’ Secure Digital Transformation Initiatives

Enhanced Visibility and Granular Security Controls Enable Businesses to Protect Endpoints While Moving to the Cloud

Boston, Mass. and Tel Aviv, Israel – November 10, 2020 – Guardicore, the segmentation company disrupting the legacy firewall market, today announced additional integrations with Citrix and its flagship Centra segmentation platform that will help enterprises migrate to hybrid or cloud environments safely by securing endpoints, critical data, and business-critical applications. 

 

Research from Dynatrace shows that 89% of CIOs say digital transformation has accelerated in the last 12 months, and 58% predict it will continue to speed up. The immediate shift to remote work has inspired many businesses to work with Citrix to adopt hybrid, multi-cloud environments to deliver a consistent employee experience and seamless access to the applications and data they need to perform optimally. During this transition, however, businesses must protect vulnerable workers and sensitive information during digital transformation initiatives. 

 

“Cybercriminals often prey on organizations when their infrastructure is in transition,” said Guardicore VP of Business Development Sharon Besser. “Our architecture allows us to support Citrix customers’ everywhere and especially in hybrid multi-clouds to protect critical applications, endpoints, protect East-West traffic, and reduce risk while modernizing their infrastructure. Businesses that integrate segmentation into their digital transformation not only improve their security posture, they can also complete their project faster.”

 

Citrix recently selected Microsoft Azure as their preferred cloud platform to move existing on-premises customers. With Guardicore, these businesses can implement a  strategy that provides enhanced visibility and process-level security controls down to the workload for both data center and cloud assets. This gives security leaders the ability to protect endpoints, including those running Windows 10, and IT infrastructure while seamlessly moving data and business apps to the cloud. 

 

“At the start of the remote work shift, we helped thousands of enterprises accelerate their digital transformation initiatives to support their employees in working from home,” said John Panagulias, Director, Developer and Partner Programs, Citrix. “Guardicore offers our customers not only security, but speed as its segmentation platform allows businesses to protect vital data and applications without disrupting the employee experience.”

 

Guardicore is a Citrix Ready Partner and has the following compatibilities: 

 

 

To learn more about Guardicore Centra platform, please visit the Citrix Ready Marketplace and Guardicore.

 

About Guardicore

Guardicore is the segmentation company disrupting the legacy firewall market. Our software-only approach is decoupled from the physical network, providing a faster alternative to firewalls. Built for the agile enterprise, Guardicore offers greater security and visibility in the cloud, data-center and endpoint. For more information, please visit www.guardicore.com or go to Twitter or LinkedIn.

Migrating to the Cloud Fast and Securely

There are numerous different ways to make your move to the cloud. According to Gartner, the five most common techniques are rehosting, refactoring, revising, rebuilding, or replacing. Yet every one of those options has a few commonalities: you will always need to understand what assets will be involved, how they communicate, and the ways they interact with your broader IT environment.

After helping organizations of all sizes and complexity levels simplify and accelerate their cloud migration projects, Guardicore has identified five simple steps that can streamline those common points. Following these steps helps assure a fast migration while also enabling you to ensure that security and compliance policies extend to the new infrastructure

5 simple steps to a fast and secure cloud migration

Ready for a sneak preview? Check out this short video for the quick overview before diving into the detailed instructions for how to achieve a fast and secure cloud migration.

1. Map application workloads

Typically, 73% of cloud migrations take more than a year to complete1. Even migrating a single application can take as long as four months2. However, with Guardicore, you can drastically speed up the timeline of your project from step one.

Once installed, Guardicore Centra automatically generates a detailed map of activity across all your environments. Process-level activity is correlated with network events, giving you a visual view of all workloads.
You can then drill down for more detail, including granular information on specific assets and processes. This helps you determine what elements you need to consider during your migration, so you can accurately scope your project.

2. Identify service dependencies

Many applications have service dependencies that they rely on to operate, such as DNS, active directory, or update services. These need to be documented and correctly configured as a part of the migration process.

For instance, you may not want your newly migrated cloud application to have access to the on-premises active directory for security or compliance reasons. Therefore, rehosting it or setting up another instance may be a better option for your business.

Guardicore can help you determine what dependencies exist today. Once those dependencies are identified, you can make a proactive and informed decision on how you would like to set up these services before you migrate. In this way you can avoid unplanned delays.


Guardicore provides detailed insights into service and business dependencies

3. Identify business dependences

In addition to ensuring service dependencies are taken care of, other elements in your environment likely require access to the newly migrated asset to keep your business running as usual. One common use case for financial services organizations, for instance, is the need for billing, accounting, and SWIFT applications to communicate with a banking application migrated to the cloud.

In order to ensure that everything continues operating as expected post-migration, Guardicore provides you with the granular visibility you need to understand communication between each relevant element. This includes insights into connections between protocols, ports, and processes.

This visibility lets you plan how to configure for today’s dependencies. It also helps you decide whether or not to make a change moving forward (like creating a cloud instance of an accounting application in order to avoid an on-premises-to-cloud dependency). Moreover, it allows you avoid potential outages that can occur when you decommission on-premises versions of applications after a migration.

4. Migrate your assets to the cloud

Once you’ve gone through the process of mapping assets and thoroughly understanding dependencies, you can confidently begin your cloud migration. During this time, you can also define any segmentation policies needed to further reduce risk and ensure compliance.

Guardicore Risk Reduction Analysis Report

See how micro-segmentation can shrink attack surface up to 99%

Learn about our free, no-touch, zero-impact, personalized report that quantifies risk reduction from using software-based segmentation in your own environment

MEASURE RISK REDUCTION RESULTS

 

Because Guardicore presents real-time and historical network data in a centralized platform, it’s easy to spot communication flows that might increase risk or result in non-compliance. You can then limit exchanges between assets as needed.

There is an additional bonus to defining policies before undergoing a cloud migration. Since Guardicore operates independently of the underlying infrastructure, policies follow the workloads. Thus, existing security controls carry over to the cloud. There, they can be fine-tuned for an asset’s new environment, saving even more time.

“The entire segmenting of the Somos infrastructure, applications, and data had been completed when we entered the new environment.”

Alex Amorim – Information Security Manager

5. Check and validate your cloud migration

After you’ve completed your cloud migration, it’s important to do one last thorough check. Now is the time to validate that you have accounted for all dependencies and that the correct security policies are in place.

Once you’ve confirmed everything is as it should be, you can securely shut down any on-premises assets you want to decommission. All that’s left is to toast to a successful migration!

Congratulations on completing your fast and secure cloud migration!

Going through these five steps with Guardicore Centra can drastically simplify and speed up your migration to the cloud. Ready to see that kind of success in action for yourself? Check out this five-minute walkthrough of moving an e-commerce application to the cloud: