Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

EventID.Net Documents

Challenges in managing firewalls

By Adrian Grigorof, B.Sc., MCSE

Day by day, all organizations (read "the management") become more aware of the dangers lurking the Internet. More people learn what a firewall is and more IT administrators soon become firewall administrators too. However, many challenges await these people. I would try to emphasize some of them and provide some solutions or maybe just an advice on how to cope with them.

Challenge no. 1 - No training.
Most managers think of firewall as just another device, more or less similar to the computers already buzzing in the rack. Now, dealing with a firewall means being in the same time a "computer guy", "security guard", "forensic analyst", "hacker", "policeman", "ethics watchdog" - just to mention a few. Yet, if you get time to read manuals, you are a lucky one.

Solution no. 1 - Lookup training courses for the specific firewall or firewalls that you use. Extract the "deliverables" of the course and put them in a "non-nonsense" form so your manager would not dismiss them as just (another) attempt to take few days off. Tell him or her that you will document what you have learned so the other people in your department will benefit from this. If the company will ever bring a security auditor to evaluate the IT security, this would be something for their liking (trained administrators that is).

Challenge no. 2 - Firewalls are quite different
You have mastered your Cisco Pix firewall and now every new configuration requirement is just a matter of few clicks in the telnet window. However, the new e-commerce project just brought you a new Symantec Enterprise Firewall running on Windows 2000. They are as different as Linux and Windows are or maybe more. Still, you being the "firewall guy" everyone expects that configuring the SEF is your job and the learning curve should be quite steep.

Solution no. 2 - In dealing with new projects be proactive and find out in advance what kind of firewalls are proposed. Sometimes is just a matter of preference from the network architect. If they know in advance what is your expertise they may use the existing technology. Obtain testing hardware and perform as many tests as possible using the new firewall. If possible get training (see challenge no. 1). Lookup resources on the Internet for that specific firewall, learn about compatibility between your existing and your new firewall. Use the findings as justification for training and tests time and resources.

Challenge no. 3 - Responsible for security
Since you are the firewall guy, suddenly everyone assumes that anything to do with computer security is your responsibility. That is internal security, dial-up / VPN security and of course anything related to Internet. And everything is fine until the first incident. Soon, managers from all levels will enquire how could that happen, why nobody did anything to prevent that, etc. Unless you are an experienced firewall administrator, you would be caught off guard and become the scapegoat of all the security problems.

Solution no. 3 - Review all the potential "dangerous" points in your IT infrastructure and identify who is responsible, if there are or not policies, who makes changes, who approves them, what are the risks and what it should be done in case of an incident. For example, take web servers - typically, the web administrators have full rights in managing these servers and most of them don't have "security" as the first priority. You would have some input regarding what protocols can go where but it would be almost impossible to review the code behind the web pages. Document and present to the management the fact that the code behind the web pages should be reviewed by security consultants specialized in this type of work, that there should be a change control policy and that every change should be reviewed, approved from a security point of view and signed off by a manager that is willing to assume responsibility. Identify administration tasks (from a security perspective) such as looking for hotfixes, service packs, new vulnerabilities, etc.. and request resources to perform these tasks (or if there are no resources, then the manager should agree that there are security risks and that he or she is assuming responsibility). You will be surprised how reluctant are managers on assuming this kind of risks and that they would rather put some effort in finding the resources.

Challenge no. 4 - Daily administration tasks
Being a firewall administrator for a medium or large organization should be a full time job by itself, however that's hardly the case (fortunately, from what we have seen, banks, telecommunication or companies doing work for the Defense Department do have dedicated firewall administrators). In most cases, the firewall admin has to take care of servers, routers, switches, be resources for new projects, participate at meetings and many more. A firewall requires special attention and it is not something you can easily transfer to a junior IT person. Analyzing the activity log for example requires experience in understanding what are the threats, recognizing them in the logs, knowing how to deal with such threats. On the other hand, these are time consuming tasks and unless there is an incident, these maintenance tasks are not performed.

Solution no. 4 - Identify the daily administration task, their duration and the type of resource required to perform them. Present them to the manager, along with the time that you are typically given to perform them (hint, is usually 1/10 from what it should be) and ask the manager to decide which one should be "taken out". Make sure you explain why each task needs to be performed and what are the risks of not performing it. This way, you will pass the responsibility for this decision to the one paid to take it - the manager. Your job is to provide the technical knowledge and act as a consultant for the decision maker.

Conclusion
Well, if you manage to control the challenges mentioned above, then you are in good shape and the security of your organization most probably is in good hands. Regardless, one has to be always aware that for this type of job, any failure is highly visible and there is little room for error.

If you have any comments, please send them to adrian.grigorof@altairtech.ca

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...