As businesses’ IT environments expand with remote teams and new cloud services, firewall management has become a more vital – and a more complex – task. But how much of an opportunity does it represent for your business?
Chris Crellin, Senior Director of Product Management, Barracuda MSP, responds to timely questions, giving managed services providers (MSPs) and value-added resellers (VARs) a snapshot of how firewalls are being managed, tips for how to educate your clients and prospects on their need for more effective solutions, and important trends to factor into your planning.
Do businesses struggle with firewall configurations that balance security with legitimate traffic?
Crellin: According to Gartner, definitely, even if businesses might only realize it later. Let’s face it — in today’s world of dependence on Software as a Service (SaaS) applications, internet-based office suites and file sharing, the IT departments are doing their best to support business processes. This often means, knowingly or unknowingly, putting security precautions to the side. This is why Gartner estimated that by 2020, more than 80 percent of data breaches may have been preventable by proper configuration. All of this is exacerbated by the move to the cloud. To tackle this problem, there is even a whole new product category to help automate security policy compliance: Cloud Security Posture Management.
What are other facets of firewall management do businesses have trouble managing?
Crellin: To begin with, the sheer size of services in use by today’s companies. When the stateful inspection firewall was invented, the company network was comparatively simple and easy. There was the “inside” and the “outside.” Inside was safe as applications were generally hosted in a subnet called the DMZ that was accessible by all networks. The outside was considered bad, and any traffic originating from the outside either was blocked from the beginning or scrupulously checked by the firewall with built-in IPS, anti-malware, known bad IPS filters, etc.
With the advent of the myriad of cloud and SaaS applications, this model is completely obsolete today. According to a survey by Blissfully, a small 18-person company, for example, is using up to 81 different cloud-hosted or SaaS-based applications, translating to more than 400 unique connections to the internet for valid company work.
The time when next-generation firewalls were invented to control and sanction use of application traffic are over too. Today, it is about providing enough bandwidth for a favorable user experience and block out credential theft by advanced phishing, smishing and other types of attacks. Malware dissemination via the internet has gone down 100-fold while the number of credential theft attacks has gone up exponentially. See the Google transparency report.
Do businesses have internal resources that are skilled enough to manage firewalls on their own?
Crellin: Even the most experienced firewall administrators can make honest mistakes. You’ll never really know where things stand until you have the proper visibility and understanding of the network and applications. As networks are becoming more complex and firewall rule sets continue to grow in size, it is increasingly difficult to identify and quantify the risk introduced by misconfigured or overly permissive firewall rules.
The major contributor to firewall policy risks is lack of the proper understanding of exactly what the firewall is doing at any given time. Even if traffic is flowing and applications are working, it doesn’t mean you don’t have unnecessary exposure. IT and network security professionals are continually thinking about the choices they’re making today, and the resulting risks those choices can create moving forward. Everything you and your team do that is related to your firewall policies moves your network either toward better security or increased risks. To help with this process, there are new tools for Firewall Policy Management.
The truth is that many small to mid-sized companies often neither have the budget nor the resources to properly deal with these challenges. The smarter ones outsource these tasks to a Firewall as a Service (FWaaS) offering or a managed security service provider (MSSP).
What’s the best way to demonstrate to a prospect that their company’s firewall may be misconfigured?
Crellin: This greatly varies, as there is no one and only way, as this significantly depends on the company type and the type of business and hence allowed types of traffic. In general, the more firewall rules, the more likely a misconfiguration is in place. Most next-generation firewall providers include some kind of simulation tools, also known as rule testers, that show the usage of a rule, for example, if a rule has been in use over a certain time period. Most often, you’ll find rules that haven’t been in use, and nobody wants to touch because nobody knows if it might be needed. This is a good sign for a firewall out of control.
How can MSPs build a firewall management offering with a solid value proposition?
Crellin: There is a myriad of security solutions out there claiming to be the easiest to use or the most secure, the most automated, the most anything. Narrow down your portfolio to a few solutions, or tools, that allow you to provide the services you want to offer and keep close contact with the technology provider. Make sure the technology is operable on an API basis, keep your staff trained at efficient usage of these tools and automate as much as possible. For example, zero-touch deployment enables direct shipment to the end customer to plug in the appliance himself, and it auto-configures, which saves a lot on travel costs. Devices that are only accessible via web UI might be hard to diagnose, so make sure to have an alternative access or the ability to pull logs on an automated basis. Start by offering a teaser service with upgrade potential. For example, a managed firewall that can potentially also run SD-WAN, URL filtering, bandwidth optimization or act as a cloud proxy for Zero Trust Networking.
How much of a demand for firewall management do you predict in the next 1 or 2 years?
Crellin: Firewalls have been with us shortly after networking, and the internet appeared. New technologies typically merged into the firewall (i.e., IPS, Application Awareness, Sandboxing, SD-WAN), and there is no sign that the firewall itself, or the need to manage the firewall, will go away. It might, however, morph and look differently. The more workloads you put into the cloud, or if SASE offerings become part of the equation, you might no longer be managing a physical box in your company’s data center or edge. But, with a cloud service or microservice, the inherent problems will be mostly similar.
What advice can you offer MSPs offering firewall management services?
Crellin: As mentioned previously, make sure to start with a few technology providers as possible. Also, ensure the technology is stackable, i.e., additional functions can be activated after deployment. A nice way to offer additional service and drive revenues is through automated reporting. Once set up, this is easy to maintain and becomes an automated cash flow generator. Also, do not forget the public cloud. Regardless of company size, everybody either already has something in the cloud or most likely will shortly. Make sure you can answer your customers’ questions around cloud security, availability and performance of cloud-hosted applications.