Avishai Wool’s review of only 80 Check Point and Cisco firewalls from unidentified organizations has prompted him to declare that security is on average still not well managed:

My findings show that 75 percent of the most complex firewalls have at least 20 errors in their configurations.

For example, I found Microsoft services are allowed to enter networks from the outside in 42 percent of the surveyed firewalls—which leaves the network vulnerable to numerous Internet worms. Additionally, a huge proliferation of network worms (such as Blaster) could have been easily blocked by a well-configured firewall.

Can you guess the product that Wool’s company, AlgoSec, sells? If you said a firewall rule analysis tool, you would be correct.

Wool released the same findings last year in 2010, which echoed findings from 2004, which followed flames and debates in security groups in 2003.

On Sat, Jun 07, 2003 at 12:42:26AM +0000, security () rexwire com wrote:

I remember once reading that X amount of firewall’s are misconfigured.

Does anyone know where I can get this statistic from? We are making some new marketing material and I would like to include this stat in it. A quotable source would be great.

Thanks

SKP

Attempts to quantify cause of most firewall vulnerabilities in 2003 also were published by the Center for Education and Research in Information Assurance and Security (CERIAS).

These studies as well as experience from 2003-2007 are what led even financial industry regulators to remove a “dual-skin” requirement for firewalls around 2008. Vulnerability-based mitigation solutions (multiple platforms) gave way to a higher risk priority of properly managed firewall rules, and it has been this way for at least three years.

This was not to make a point about the importance of reducing complexity, but rather that complexity has to be under control or it will negatively affect firewall management — poorly managed firewall rules are thought to be more dangerous than ones with system vulnerabilities. So unnecessary complexity should be removed when possible, but that is very different from saying there is no place for multiple platforms at all.

Overwhelming evidence and prevailing security theory has suggested that diversity in firewall management increases operational costs (more training, tools, processes, etc.) and the rate of misconfiguration. A large enterprise will likely find that just two brands of firewalls can create the opposite effect of what is desired — more vulnerabilities are introduced rather than less, with more research and testing required, more time to patch, and thus more frequent and longer service outages.

Reducing all this complexity has clear advantages. However, it does not condemn the advantages of multiple platforms; rather it sets a higher priority security issue in front of it. Get a handle on the complexity of rules and those advantages may come back into focus.

Gartner published a document at the end of last year confirming half of that equation. They have reported some of what we all know from years of debate and experience managing firewalls.

Enterprises should standardize on one firewall platform to minimize self-inflicted configuration errors. It’s not more secure to use firewalls from different vendors, instead of using only one to protect enterprise networks.

Hot analysis tip: Gartner charges you $95 to tell you that the pain in your neck is, in fact, a pain in your neck.

The problem with the Gartner analysis is that they appear to be trying to answer the wrong question. The question should not be whether the configuration pain is real. The question is whether fixing the pain is really only possible for a single firewall platform.

Looking ahead, and around the current market, every firewall platform will benefit from a configuration management solution to “minimize self-inflicted…errors”. Since the market is (still) not dominated by a single firewall platform it stands to reason that fixing one of them leads directly towards fixing the greater problem of complexity caused by multiple platforms. That is a good thing, yet it seems to be the opposite of what Gartner would recommend. You may soon, if not already, find it more secure to use firewalls from different vendors to protect your enterprise networks. That puts you at odds with their analysis.

The bottom-line is that every new product that aims to reduce firewall platform errors will develop support for multiple products in the market. That is why the next generation rule analysis such as FireGen, RedSeal, Wool’s company, etc. is likely to shift the risk calculation again — new tools to reduce the cost and complexity of managing configurations will work across different firewall platforms. Here’s FireGen as an example:

Products:
FireGen for SEF/Raptor – Log Analyzer for SEF/Raptor firewalls
FireGen for PIX – Log Analyzer for Pix firewalls
FireGen for Netscreen – Log Analyzer for Netscreen firewalls
FireGen New Generation – Log Analyzer for SEF 8.0, SGS, Linksys, SonicWALL and Fortigate firewalls – Beta

Let us know for what type of firewall you would like us to develop a log analyzer!

Auditors thus will soon feel confidence to move from saying “for pete’s sake just get one firewall configuration right before you add platforms” to “for pete’s sake get a configuration management product to support all the firewall platforms you have to use to protect your enterprise network”.

In other words the missing piece in Gartner’s analysis is the present expansion of firewall use to hosts, applications and virtual systems. This trend of expansion is not going to reverse. Although it made sense to slow down complexity where possible in the past the value of a single firewall platform has since become a moot point. An enterprise will most likely have to deal with a platform on the network, a second platform on their hosts and then at least a third platform on virtual networks as well as a fourth platform for applications. Do not be surprised if you can not find a single platform that can replace firewalls from Juniper, Intel, VMware…

With that in mind, I predict that Gartner will say in less than five years that enterprises should not standardize on one firewall platform. The benefits of diversity may actually be reachable — protecting more layers of the enterprise network across multiple firewall platforms — with complexity brought more under control by configuration management solutions such as rule and log analysis tools.

A used ATM pops up for sale on Craigslist every once and a while. Here is a good example for $1500:

Date: 2011-02-05, 7:57AM PST
Reply to: sale-htpd7-2198489834@craigslist.org

ATM machine for sale. Hyosung Mini Bank 1500. Excellent condition. Have all documentation and keys. Machine is ready to be placed in service.

The photo is not as suspicious as you might think. Is that a garage door in the background? Un-used ATMs always end up around garages and loading-docks because they are so heavy (~300 lbs). The weight is considered to be part of a theft-deterrence design.

The advertisement does not say, of course, whether the transaction history is wiped and the system is clean (e.g. empty or full of card numbers).

It should be very easy to find out. This model of ATM offers web access to its transaction history and cash management reports. You can download and read more details, including the full manual, on your phone as I’ve mentioned before.

I plan on putting this one near the RSA Conference and then streaming transactions live into my presentation. Just kidding…sort of…

In related news, for another $700 you also can buy an embossing device on Craigslist to make fun cards for your friends to use with your ATM…or to play Monopoly on credit.

PLASTIC CARD EMBOSSER (PVC – MANUAL):

Machine Details:

* OCR-7B Font Plus Alpha /Numeric * 10 & 7 Per Inch Spacing

* Financial Format /Five Line /ANSI /for CR-80 Plastic Cards

* Hardened Steel Dies & Punches

* Weight 17 lbs. – Shipping Weight 24 lbs.

* Height 9.5″ – Depth 14″ – Width 10″

Originally Priced at $3000.00, currently on sale for $700.00!

Enhance your business by embossing personalized gift and/or business cards! This is an excellent way to inspire customer loyalty!

Embosser may be used to emboss letters and/or numbers on standard ATM, Hotel, Employee plastic cards.

*Express Shipping is Available*

Perhaps if this man had written Oprah a letter and then showed up at her offices and home, she might have handled the situation more delicately.

The founder of the notorious stalker site, Facebook, has taken swift legal action against a man who awkwardly and persistently asked for advice and money:

Zuckerberg has obtained a restraining order against 31-year-old Pradeep Manukonda — after Mark filed legal papers claiming the guy has tried to “follow, surveil and contact Mr. Zuckerberg using language threatening his personal safety” … and the safety of his girlfriend and his sister.

Law enforcement sources tell us Pradeep had gone to several Facebook offices in Palo Alto attempting to contact Mark to ask for money for his financially-strapped family.

I read the letters and was unable to find “language threatening his personal safety”, but maybe not all the letters are available yet.

It looked like scam language or even just annoyance, so the heavy-handed response to a low risk situation may end up tarnishing Zuckerberg’s recent PR campaign to make himself appear less paranoid and more charitable.

It also shows how Zuckerberg himself turns quickly to government institutions for help and protection from his own users. Perhaps his public services approach to personal safety will help him see how to improve relations with federal regulators concerned with privacy.