Aging Firewalls Create Risk

Aging Firewalls Create Risk

Outdated perimeter defenses offer minimal protection from sophisticated new cyber threats.

Firewalls have been the linchpin of network security for decades, serving as the essential gatekeeper between internal network resources and the outside world. As firewalls age, however, they can become a serious security risk.

Most security experts say network firewalls should be upgraded or replaced every four to five years. Anything older than that won’t have the processing power to adequately monitor and control modern network traffic loads. They won’t be able to inspect data payloads of incoming network packets or distinguish between different kinds of Web traffic, either.

Older firewalls based on stateful technology inspect and control traffic according to specific ports, protocols and IP addresses. That was effective when most network threats involved hackers scanning for open ports on network firewalls to attack. Today’s threats are far more sophisticated.

Many modern cyber threats can piggyback on legitimate application-layer network traffic, which allows their malicious payloads to bypass stateful packet inspection mechanisms. These threats include zero-day exploits, advanced malware and stealth bots that are smart enough to not only disable security protections and steal data but hide in your network while awaiting further instructions.

‘Flying Blind’

The lack of visibility into application traffic has become a significant vulnerability. In a Sophos survey of more than 2,700 IT decision-makers, nearly half reported they cannot identify much of their network traffic. That means they are essentially blind to ransomware, unknown malware, data breaches and other advanced threats, as well as potentially malicious applications and rogue users.

“If you can’t see everything on your network, you can’t ever be confident that your organization is protected from threats,” said Sophos Senior VP Dan Schiappa. “IT professionals have been flying blind for too long and cybercriminals take advantage of this.”

Firewalls can become increasingly complicated with age, too. After years of use, the rule bases that drive firewall actions can become bloated and inefficient due to expired, obsolete or duplicated policies. Companies commonly manage dozens of firewalls with thousands of individual policies and rules, making the entire environment notoriously complex.

This complexity greatly increases the chances of human error that creates an opening for hackers. One recent study found that IT executives are overwhelmed with firewall management responsibilities, with most reporting they must manually process up to 100 change requests every week. Furthermore, change management tends to be a largely impromptu process involving emails, spreadsheets and other outdated tools to create and track requests.

According to a Gartner research report, 95 percent of all firewall breaches are the result of misconfigurations rather than technical flaws. A misconfigured firewall rule that allowed overly permissive server access led to the 2019 Capital One hack that exposed more than 100 million customer records.

Assess and Upgrade

To minimize the risk of outdated firewalls, organizations should conduct periodic assessments and vulnerability to scans to identify misconfiguration issues, outdated or unused rules, and overly permissive access policies. It’s also a good idea to conduct traffic flow analysis to understand what types of application traffic are moving through the network. Ideally, companies should designate someone to manage the process and maintain current evaluations of all firewalls in use.

When firewalls reach the end of their useful life, organizations should replace them with next-generation firewalls (NGFWs) that augment traditional firewall capabilities such as packet filtering, network address translation and URL blocking, with more robust features such as intrusion prevention, Secure Socket Layer (SSL) and Secure Shell (SSH) inspection, deep-packet inspection, and reputation-based malware detection.

NGFWs are also application-aware, meaning they can distinguish one application from another and enforce granular security policies at the application layer. With the ability to understand details of Web application traffic passing through, the NGFW can make smarter blocking decisions based upon very specific criteria.

When choosing an NGFW, organizations must evaluate the architecture, performance impact and manageability. Understand the hardware and software architecture, how it will be engineered and integrated, and how it delivers the results your organization requires. Find out how a NGFW will impact network performance, if at all. Make sure throughput is tested when all security features are enacted with the appropriate number of connections.

An NGFW involves very specific policies and rules that enable for more granular, powerful security controls, but it should be intuitive and easy to configure, implement and maintain. Simple, centralized management is critical.

Firewalls remain a critical component of network security, but outdated technology brings significant risk. Regular assessments can help organizations identify any potential weak points, and obsolete firewalls should be upgraded to NGFW technology. It’s the best way to avoid the risk of game-changing security threats due to substandard protection.