ARN

Roundtable: Next gen firewalls - when old security isn't enough

Next Gen Firewalls remain a vastly untapped technology – the same victim of hype and overselling that has damaged the reputations of other technologies such as Big Data and Cloud
From Left: Ryan Ettridge (Dimension Data), Patrick Budmar (ARN), Louis Abdilla (Content Security), Stephen Parker (NewLease), Joe McPhillips (McAfee), Justin McGarr (McAfee), Cam Wayland (Channel Dymanics), Gordon Anthony (GA Systems), Richard Charlton (IPSec), Allan Swann (ARN), James Boyle (NetStrategy), Patrick Butler (Loop Technology)

From Left: Ryan Ettridge (Dimension Data), Patrick Budmar (ARN), Louis Abdilla (Content Security), Stephen Parker (NewLease), Joe McPhillips (McAfee), Justin McGarr (McAfee), Cam Wayland (Channel Dymanics), Gordon Anthony (GA Systems), Richard Charlton (IPSec), Allan Swann (ARN), James Boyle (NetStrategy), Patrick Butler (Loop Technology)

Next Gen Firewalls remain a vastly untapped technology – the same victim of hype and overselling that has damaged the reputations of other technologies such as Big Data and Cloud. However, unlike Big Data and more similar to Cloud, it is finally getting some mainstream acceptance, and sales are rising. So how can a reseller make the push to install what is, by some accounts, an essential part of any modern security infrastructure?

One of the key challenges facing any IT department looking to implement next gen firewalls (NGFW) across any business is exactly that – it’s a technology that spans the entirety of the business. It is this complexity of policy management that translates into problems at the operational level, especially for anyone looking to implement it as a managed service, Channel Dynamics director, Cam Wayland, said.

“It’s beyond the ability of the IT department now to be able to manage the Next Generation Firewalls, because it spans beyond the IT department into the operational areas that don’t want it. They actually need this security, but they don’t want it or know that they need it,” he said. Dimension Data Queensland practice manager - security, Ryan Ettridge, said having a dynamic implementation is key – and that’s something that hasn’t changed from the last generation of firewalls to the current.

“Traditionally you’d take a couple steps back and think about what the intention of a firewall was; it was about segmenting different types of risks, and it’s no different now,” he said.

“In our constantly dynamic and flexible environments, we need something that is going to be just as dynamic and flexible in terms of the policies that we allow through those walls. It’s about the intelligence in terms of threats, and being able to determine what the sources and the destination is - so applications and users,” he said.

The original firewall was designed when things were a fair bit more simple. Having an access control policy and a list based on ports and protocols were very manageable - because there weren’t that many applications that you had to allow. Nowadays the number of network applications has exploded, whether it’s Skype, Facebook or DropBox.

A key part of NGFW’s is the simplification of the interface. GASystems CEO, Gordon Anthony, said it isn’t just important for the staff running the firewall, but for wider management. Being able to reduce a problem to something that anyone can understand is vital nowadays.

“It’s certainly easier to explain it to senior management. It’s quite simple looking at the applications, looking at who’s using what and what rules you’re implying,” he said.

Firewalls as risk management

Content Security managing director, Louis Abdilla, said any security sales pitch should be made to the business owners or executive as part of a risk management offering, same as insurance. It also offers better options for value add on a sale.

“It’s not at the IT department because the IT department is being asked to cut back spending and budget. It’s actually at the business level, where you say ‘If you don’t do it fine, but these are the potential risks’,” he said.

“So if they’re happy to live with that, that’s okay. You can then list the options that they can go through from good, better, best, in terms of what they feel is their level of risk aversion is in terms of their business strategy.”

McAfee’s new NGFW APAC sales director, Joe McPhillips, agrees. The importance of security and firewalls is often overlooked in the grand scheme of risk strategy. A security breach to a business is worse than an insurance payout on a burned down building.

“Maybe it’s time to try and get businesses to introduce actuaries into their IT department?” he said.

Ettridge thinks the risk assessment problem is far worse than that.

“If your source plans are gone, they’re not coming back. It doesn’t matter how much insurance you’ve got, you’re out of business. So I always liken it more to the safety industry. It’s about providing protection: you’ve got a car with airbags so that you don’t die, rather than life insurance so that your surviving wife gets payment,” he said.

NewLease head of Cloud strategy, Stephen Parker, said firewalls and security need to actually be pitched as part of the company’s competitive advantage.

“What C-level execs hear is things like; ‘my intellectual property could be stolen, which is my competitive advantage’, or, ‘my share price would be hit.’ Even ‘Let’s look at three companies who’ve had a breach and their share price took a X per cent dive.’ ‘What about our reputational damage?’ Security needs to be presented in a language they can understand,” he said.

Cloud has made the delineation between on premise and off premise computing moot.

Historically, a firewall was used to keep baddies out. Now there is no firm boundary, no wall determining what is inside and outside the firewall – data flows freely in every direction. All of your data isn’t necessarily in the building that you own, or even in the datacentre, it could be anywhere; it could be on a device or in the Cloud.

Part of the problem with the security market, and much of this is due to marketing hyperbole, is that we have a very black and white view of security. You either have it foolproof, or you don’t and you will be wrecked by malware. Actually it works in varying levels, but the most important thing to remember is that no system is ever 100 per cent secure.

Looking at some international humiliations, such as the theft of the Australian Security Intelligence Operation’s (ASIO) blueprints for its new building in Canberra, and the US military’s loss of its blueprints for the new F-35 Joint Strike Fighter (which Australia has agreed to buy another 58 planes for $12bn), both were hacking jobs originating in China. Chances are, if someone really wants to get at your information, they can.

New privacy laws With such a variety of non-technical threat vectors, how does a security manager keep up – especially now that Australia’s new privacy laws mean that a company can be harshly fined, and (presumably) the staff member sacked in the result of any breach?

Telstra was recently fined a hilariously small amount, $10,200, for breaching the privacy of 15,775 customers. Even under the new amendments to the Australian Privacy Act 1988, the maximum fine that can be delivered is just $1.7 million – chump change to a corporation of Telstra’s size.

Most of those at the ARN table seemed to agree that the financial imperative of the new amendments was unfairly weighted against small businesses, but it was agreed that the reputational damage is where the law might have more sticking power.

“The majority of our clients aren’t yet as proactive as they need to be, but with a compliance and regulation bodies it is raising that profile a bit. And it is the old adage of compliance is binary and security isn’t. Security is a process and it’s an ongoing process and compliance is point in time,” Dimension Data’s Ettridge said.

The biggest problem is the tight nature of the market – resellers are making promises they can’t keep to pull in the clients, and the clients themselves have far less money and resources to expend on security. The key change has been the compliance push by the government (including local government), by refusing to work with non-compliant partners. This is not infecting the private sector. This means businesses who had been dragging the chain are now panicking to get up to speed, be it PCI or ISO-27001.

“We had a big customer say to us if you guys don’t follow this compliance, sorry we can’t do business with you,” Content Security’s Abdilla said.

“You’ve got to follow the compliance; because I believe state government like New South Wales’ police and transport - they’ve all started to do 27001. It’s going to go down. It’s going to be pushed down to all the other bodies, probably down to local area councils as well.”

Case for managed security services

It’s not just tough for smaller entities, but the bigger players too. The biggest retail hack in US history, the 2013 Thanksgiving hack of Target’s servers, which saw malware stealing credit card data from all 1797 of Target’s stores saw the CIO fired and the company’s share price suffer.

Worse still, the company had just installed a brand new $1.6 million dollar Fireye malware detection tool. The software worked as it should – the problem was there were so many alarms going off during the hack, that the staff had no idea what was going on or how to respond. You can’t exactly shut down the system on America’s biggest shopping day of the year.

IPSec’s Charlton has seen this kind of neglect all across the market, from SMEs to larger enterprises, which actually makes a case for managed security services.

“You’re doing an audit and say ‘when did you last check this?’ and you notice the last login time was X months ago. It’s just obvious that it’s something that security checking is not front of mind. And I think that’s the challenge now, and also why I think security as a managed service makes so much sense.

“It gives them the peace of mind, some predictable cost of ownership as well, and access to skill sets they could never retain in-house. And when there are updates and things that they need to know, it just gets done for them,” he said.

For suppliers and integrators, it’s also a matter of liability concern. It’s important to differentiate between a managed service and a supply contact, with support. Part of training staff members running this security technology in their business is to ensure your contracts are tight, and they know where the liability lies.

“A lot of it’s around mitigating risk for us as a supplier. If I sell someone a next generation firewall and they think that that’s the key pillar of their security; is it going to make them 100 per cent secure? No, but a lot of the times there are cases where the security or IT teams think that,” Loop Technology’s Butler said.

“They think through working with an expert and a partner that they’re getting that protection, and they almost want to outsource that risk to us. So a lot of what we’re doing at the moment is actually going to customers and making them aware that whilst they’re doing a couple of things, here are the things that they’re not - and we’re not going to take responsibility for that.”

Onus on the MSP

However, it does put the onus on the managed service provider to ensure that their own processes are up to scratch – you can’t be negligent either.

“The client is trusting you to have the right processes and procedures in place. But, ultimately, they can’t remove the responsibility for being compliant. Ultimately, they have the legal responsibility, and yet they’ve outsourced it to you. So how do you give them comfort that you are doing things right?” NewLease’s Parker said.

Put simply, write your contract correctly. This will be much more of a concern going forward, according to Content Security’s Abdilla.

“It’s about being clear upfront when you’re in that negotiation and contact development: what are we actually doing for you? You’ll find if there’s people out there that are trying to oversell, and sell this idea of being the MSP that’s going to protect them, that might come back to bite them,” he said.

GA Systems’ founder, Gordon Anthony, noted that Security-as-a-Service means that more involvement with lawyers is an unfortunate reality for the channel.

“It’s a much more difficult scenario, which is unfamiliar to us all, these legal ramifications. So I’m sure most of us spend more time with the lawyer before embarking on contracts then we ever had before, because we’re moving in quite dangerous territory. But the fact is, we’re all going to be because that’s the way the industry is going,” he said.

Cloud reseller market

The emerging Cloud reseller market is in another tight spot here – especially if onselling public Cloud services. Amazon, Google, Azure have all made sure their contracts are watertight – they aren’t liable for (physical) disasters, loss of data, or security.

“A lot of clients are nervous because they’re experimenting with things like say Amazon or Office 365. As they start moving some workloads out of house, while security is not perfect inhouse, once you take it out of house with Amazon, there’s a lot more unknowns about it. So I think there’s an opportunity for the channel in terms of consulting as well, in terms of sharing best practice.

"We’ve had a number of clients now they’re doing say IPsec VPN up into Amazon using next gen firewall to actually move some workloads up there,” Charlton said.

“If your connection is fast enough, the client doesn’t even know where the resources are. That’s the way Cloud should be, but they can still provide a high level of assurance and control. But they have to manage the security at the Cloud provider with their own on premise toolset. From that point, they just treat it as another location; it just happens to be Amazon rather than one of their branch offices.”

Parker believes that Cloud is actually more secure than on-premise anyway.

“If you actually go out and talk to most small to medium businesses you go ‘where’s the server?’ In the middle of the office. Q: ‘Who looks after it?’ A: ‘Anybody and everybody because we’ve all got admin rights to it.’ Q: ‘And who’s the person who’s really responsible or is it the intern who comes in once a year a summer?’, ‘Anybody else get at the server?’ A: ‘No. Well, apart from the cleaner.’ Q: ‘When does the cleaner turn up?’ A: ‘After hours when nobody’s there,” he said.

“’Then they think, hmmm, maybe the Cloud isn’t quite as bad as I thought it was.’ It’s that kind of logic, and I’ve had the same conversation with lawyers and accountants. I’m not saying security in the Cloud’s perfect, but just go and have a look at what you’ve got today on premise.”

Butler said public Cloud has already made firewalls obsolete, meaning its NGFW or nothing.

“It’s an imperative to the Cloud. Amazon’s not going to tell you what port and protocols it uses. I mean they might to some extent, but you’re not going to go down to a low level of detail providing your policy, and how that’s going to go into your old style firewall. What you need for the Cloud is a firewall that has applications and users. So if you move into the Cloud it’s actually almost imperative that you should be looking into some sort of next generation firewall to help you,” he said.

Too many alarms

Five years ago, when NGFWs first started appearing, many of the pioneers in this field pretty much assumed that we had ‘the magic wand’, and everyone would immediately throw out everything they had and buy the new toy. It didn’t happen. Butler believes it’s because NGFW has a perception that it’s difficult to manage.

“It’s more that it’s difficult to transition from this really complex old way of thinking around ports and protocols, how does that map in? Because it doesn’t, it doesn’t map in at all. You’ve got to actually go and talk to the business and say ‘well, let’s work out what applications we want, what users to access’,” he said.

“A lot of the people were scared of that conversation so they just said; ‘No, I’m not going to go next gen, I’m going to stick with my port and protocol because I can migrate the policy across quite easily.”

Ettridge agreed; NGFW take up has been stifled by timidity in the industry, but also by the extra expertise and time monitoring it takes.

“Traditionally firewalls were managed as network infrastructure. As it was switched on and things were passing through the firewall it was working and doing its job. If you could see that and you could see that you were blocking things that shouldn’t go through it, then that was good enough,” he said.

“But as you start to throw more advanced technologies that do require a bit more complexity in terms of your skill sets and expertise - intrusion management, for example - you need to update that all the time. You need to tune that, and you need to monitor it, and you need to make sure that you can respond to a threat once you’ve actually apply to those policies.

“The more things you chuck into a next gen firewall the harder it becomes to manage. Even if it is automated, if you’re under attack and you don’t have any analysts in there to do something about it, and you don’t know what you need to do to respond, a NGFW doesn’t do anything.”

Mandatory disclosure

Ethically, there is also a lot of personal backside-covering at play.

“There’s a lot of what goes on that doesn’t get discovered, or doesn’t get disclosed or gets quietly disclosed and not really widespread knowledge,” IPSec business development manager, Richard Charlton, said.

Abdilla agreed: “The culture is, if people have a security breach they try and cover it up because of the security guys don’t want to let it be known that they’ve missed something and the owners don’t want to be exposed.”

This is where the Australian Government’s big legislative flop comes to the fore – the lack of mandatory notification laws, which already exist in most first world countries. Everyone at ARN’s roundtable agreed this was a huge wasted opportunity. The bill never made it to the floor in the Rudd/Gillard government, but may have a second life via The Senate. This would be a huge driver for the Australian security industry, an overnight boom.

Loop Technology information security specialist, Patrick Butler, believes it was a disaster for the industry.

“That’s why the biggest issue for us in Australia was the fact that mandatory notification laws didn’t get past, the single biggest impact to each of our businesses,” he said.

“However, if they did pass the mandatory data breach notification we’d be run off our feet, all of us.”

Refresh cycles

Part of the problems of firewalls, and indeed security of any kind is that the technology moves faster than any company’s budget. Hackers and the security software and firewall manufacturers are in a constant arms race. For software, this is less of a problem – download patches and updates regularly and you can keep up to speed. But in terms of hardware refreshes – which is the category NGFW’s fall under – and you’re still looking at the usual IT budgetary constraints and refresh cycles.

“We’ve seen an explosion of interest in the last five years from companies, but that the reality is, they buy a firewall to last roughly three to five years typically,” NetStrategy CEO, James Boyle, said. So are NGFW’s something that is added to existing hardware on top, or are these businesses looking to implement from scratch? “Well, typically what we’re seeing is the rip and replace. There was a discussion earlier about the fact that we do a lot where we put in and show them what they’re missing and what the existing firewall is missing,” he said.

“In a lot of cases those companies are like ‘well that’s great, we got all these botnets going around our network but let’s just wait until the refresh, until our subscription has expired.’ So that’s still that old mentality at work.”

Burdened users

The problem with any security implementation, and NGFWs are the same, is that if the defensive measures are too strong, and burdensome, users will find their own way around them. For example, schools especially spend a lot of time on security, but tech savvy kids don’t have any problems getting around them – and this is the same with businesses.

“Schools put a huge amount of time and effort into locking down their network and end up with almost a false sense of security. I’ve got a 13-year-old and a 16-year-old, all they say is ‘I can’t get on through the school network, let me tether to my iPhone because I’ve got a data plan on it.’ It completely bypasses all the security,” Parker said.

“If enterprises are doing the same thing - we’ve actually put a huge amount of time, effort, money, resources into locking everything down. And it’s wasted. We believe we are secure but the reality is, the more we lock it down, the more people just find ways to go around it.

“So the real challenge is: do you actually lock it down so nothing can happen? Or do you allow stuff to actively go through it, and track everything?”

Wayland agrees, noting that workplace time pressures mean that work-oriented goals sometimes come before best practice.

“If you do an audit on a customers’ network, what they think are the number of applications that’s running on the network, versus the actual applications that are running on the network - they’re two widely different numbers, and actually a different variety of applications,” Wayland said.

“It’s been a long time since I worked in a corporate but that was because my IT department was completely unresponsive. The business is under pressure to do things and so you do workarounds.”

For example, how do you police an employees phone, that is chock full of Android malware, from jumping on the company wi-fi and infecting your network? It’s also a problem of the number of users, GA Systems’ Anthony said.

“So every time we install a net product it’s usually three times the number of users that we anticipate,” he said.

Defining Next-Generation Firewalls… how to know if someone’s selling you a goose?

Obviously companies approach NGFW’s differently, and add or subtract features as they see fit, but taking a neutral definition of what the industry generally considers a NGFW. Remember, just because a vendor uses the term, doesn’t necessarily mean it offers an actual NGFW offering. As in every aspect of our business marketing hyperbole can overwhelm facts.

  1. It has all the standard firewall features such as packet filtering, network address translation and VPN capabilities.
  2. It is usually directly integrated as part of the network to help with intrusion prevention.
  3. It protects at the application layer, or has “application awareness” – this means it is capable of not only identifying applications and their functions, it allows to you apply selective controls at this application layer (i.e. allowing Skype video calls, but blocking instant messaging, or file transfers).
  4. NGFW’s usually use outside intelligence to improve filtering decisions, such as the use of trusted reputation services such as Active Directory.