Most firewall policies out of control, too complex 27 February, 2009 By Chris Talbot

PromoPipeline Exclusive Channel Promotions Find Out How You Can Make Money Today! ENROLL FREE! >> Factory Direct Should Not be Cheaper William Vanderbilt - Innovative Learning Channels Cloud Ecosystem II: A Candid Conversation with Oracle Beth Vanni - Amazon Consulting Cloud Ecosystem: A Candid Conversation with Rackspace Hosting Beth Vanni - Amazon Consulting Channel Manager Compensation William Vanderbilt - Innovative Learning Channels Financial Expertise William Vanderbilt - Innovative Learning Channels

According to Jody Brazil, CTO of Secure Passage, the results of the survey are shocking, but not necessarily surprising. All respondents admitted that firewall policies are complex and that they need help, but the survey found that "too few" don't understand the full impact of the problem.

"We see that well over 70 percent of the respondents realized their policies were complex, even to the point of being out of control," Brazil said. In fact, 73 percent of the IT executives surveyed said their firewall rule bases are too complex or out of control.

It's not just that the feel that policies are annoying and time consuming, Brazil said, but they recognize that the overly complex policies are often leading to security gaps. Critical firewall devices have become so complex that things are missed and they end up creating gaps in the security instead of blocking inappropriate access, he said.

However, it's not the devices themselves that are the cause of the problem, Brazil said. The technology isn't vulnerable; it's the misconfigurations of the devices that cause the vulnerabilities, he said.

"It's really simple to add new rules to meet the business challenge," he said.

In many cases, though, a typical enterprise with even a moderate-sized policy of 300 rules may find up to 50 percent of those rules aren't even being used. They had a purpose at one time, but now they're no longer necessary.

"People simply don't have the time to analyze if it's still necessary, which leads to these security gaps. It's a very, very common problem," Brazil said.

Other key findings from the survey included:

-- Fifty-nine percent of respondents said they feel that a lack of management tools makes policy management difficult.

-- Seventy percent believe that unused rules make firewalls difficult to manage.

-- Sixty-five percent responded that unused rules lead to potential security gaps.

-- Forty-three percent stated that unused firewall policy rules negatively impacted performance and led to the premature purchase of new firewalls.

--Only 35 percent perform audits continuously or once a quarter, but 77 percent think it should be done that often.

-- Seventy-five percent perform manual audits using their own staff.

-- Seventy-one percent cited limited staff resources as the number one reason why more analysis is not performed.

-- Sixty-five percent stated that the process was too labor intensive.

-- Sixty percent responded that it was not a management priority to allocate resources or budget to this problem area.