firewall misconfiguration

The dangers of firewall misconfigurations – and how to avoid them

According to Gartner, “through 2023, at least 99% of cloud security failures will be the customer’s fault.” Firewall issues are one of the top reasons why this is the case.
The extreme pace of change and increasingly swift adoption of hybrid cloud has network security struggling to keep up. Many enterprises are attempting to protect themselves with network firewalls, putting themselves at increasing risk of configuration errors and policy gaps. In fact, Gartner says:

“Through 2023, 99% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws.”

What are the most common causes of firewall misconfigurations?

Network firewalls are not easy to update. Keeping rules up to date when environments and applications are dynamic and complex is almost impossible.

Because of this challenge, firewall policy is often behind the current status of your applications and data. This means you are increasing risk in your data center until you manage to manually set the rules. Moreover, those rules may well become obsolete again almost immediately, so you can never truly stem the issue of growing risk.

At the same time, companies have to deal with compliance mandates and governance, which are just as strict on the cloud environments as on-premises environments. While the increased agility of a hybrid cloud ecosystem is helpful for streamlining business processes, the speed of change has caused many organizations to fall badly short of compliance requirements.

It’s especially difficult to get full visibility into hybrid cloud environments – and without visibility, you can easily fall prey to blind spots resulting from misconfigurations. Take the Capital One breach, for example, where hackers could exfiltrate “data through a ‘misconfiguration’ of a firewall on a web application. That allowed the hacker to communicate with the server where Capital One was storing its information and, eventually, obtain customer files.” The result was the loss of the personal data of more than 100 million people, including tens of millions of credit card applications.

What are the most common firewall misconfigurations?

Wondering what some of the most common firewall misconfigurations are? Here are the ones that we see time and again:

  • EC2 instances: Configuring security groups incorrectly can lead to unnecessary risk. AWS itself reports that “Among the most egregious were AWS Security Groups configured to leave SSH wide open to the Internet in 73 percent of the companies analysed.” Any approach that relies on IP addresses that constantly change is going to be error-prone.
  • VPC access: Of course, your business doesn’t want anyone on the internet to be able to access your VPCs. That said, this is a common mistake. Many businesses use ACLs to manage the problem, but it can be time-consuming and leave blind spots.
  • Services permissions: It often happens that unnecessary services are left running on the firewall, opening up enterprises to risk and broadening the attack surface. When devices are configured from the start with the principle of zero-trust and least privilege, this removes that risk. It also ensures that devices can only do the specific function you need them for.
  • Inconsistent authentication: Enterprises often have networks that work across multiple geographies and locations, as well as different environments. Consistent authentication across these different places is a cornerstone of good firewall hygiene. If some requirements are weaker than others, the misalignment creates vulnerable areas of the enterprise that can be leveraged like an unlocked door. The result is that your business will be open to attacks.

What’s the best firewall alternative?

Because of all the issues mentioned above, many businesses have decided that it’s time to look for a firewall alternative. Modern organizations need a security solution that is faster, easier to manage, less error-prone, and more conducive to today’s hybrid cloud and complex environments. That’s where a software-defined micro-segmentation solution like Guardicore Centra comes in.

“With Guardicore, we were not only able to secure 45 applications without interruption in just 6 weeks, we also got a more agile, cost-effective, and secure solution than our legacy firewall provider.”

— David E. Stennett, Sr. Infrastructure Engineer, The HoneyBaked Ham Company

honeybaked ham

Read the full story

Whereas network firewalls can be a hurdle to speed and agility, software-defined segmentation is an enabler. The overlay approach to micro-segmentation does not rely on IP addresses, and is therefore completely decoupled from the underlying infrastructure. This structure allows policies to follow the workload, no matter what environment you are using. Therefore, security can move at the speed of innovation – and lower costs at the same time.

This fast pace is bolstered by automation. And, of course, automation slashes the rate of manual changes and updates – and therefore misconfigurations and errors. Automation supports real-time risk mitigation, even across multi-vendor security environments.

How can you gain visibility into firewall misconfigurations?

Understanding firewall misconfigurations starts with mapping connections, because you can’t protect what you can’t see (or don’t even know exists). In addition to providing stronger, faster security, using a solution like Guardicore Centra enables you to gain granular insights into your communications and connections. That way you can see misconfigurations at a glance, identify unusual behavior, solve open ports or broad permissions, and tackle issues such as inconsistent authentication procedures.

Moreover, Guardicore Centra goes beyond visibility to provide the security that you need to support a Zero Trust-based framework. Specifically, Guardicore covers the main pillars of Zero Trust by securing:

  • People with user-based policies.
  • Endpoints through security policies and enforcing compliance using OSQuery.
  • Workloads in any environment by providing policies that follow the workload and are not tethered to a specific infrastructure.
  • Networks and devices by securing device access to the data center.

Why do you need software-based segmentation vs native cloud controls?

For those of you who rely on the built-in firewall capabilities of cloud providers – hopefully by now you know that software-based segmentation does much more to secure business environments than can be achieved by native cloud controls alone.

Native cloud controls are outside of the visibility and control of network security teams. Those teams need visibility in order to manage connectivity for business-critical applications or micro-segmentation projects. Perhaps this is why Gartner acknowledges that, “Agent-based micro-segmentation has become the standard for micro-segmentation platforms.”

How do you dynamically scale security while avoiding misconfigurations?

Once you’ve mapped out connections, you’re well placed to create consistent policies that follow the workload. You can then avoid playing continuous catchup with network firewalls that simply weren’t built for dynamic, auto-scaling environments or DevOps pipelines and agility. If, by chance, you should miss a misconfiguration, a strong micro-segmentation approach enables you to isolate critical assets and data so that a potential breach can be contained and mitigated, fast.

Leave legacy firewalls behind and lower risk in your own environment

Chances are good that you already have firewall misconfigurations that are opening you up to unnecessary risk. Hybrid cloud environments have added another layer of complexity to today’s data centers, creating even more opportunities for firewall misconfigurations.

Guardicore Centra is one tool that covers any environment and provides superior security capabilities, offering the flexible, fast, and cost-effective protection today’s businesses require. Guardicore enables you to take the challenges of a hybrid data center head on, providing visibility and control where you need it the most.

Ready to find out more about how to reduce risk in your own environment? Sign up today for a free personalized Risk Reduction Assessment Report to find out how much you can shrink your attack surface using Guardicore’s software-based segmentation solution.

Attack Surface Reduction Analysis

Get a no-touch, zero-impact, personalized report that quantifies risk reduction from using software-based segmentation in your own environment

Quantify Your Risk Reduction

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA ImageChange Image

‹ Back to Guardicore Blog