At a glance implementing a firewall change may appear a simple task, but in reality it may not be so.
Common firewall changes include: adding, removing or modifying firewall rules and objects. Firewall rules and objects can change as a response to new threats, network modifications or the use of new services.
Why a Change Goes Wrong
- Administrator unintentional error; due to lack of focus or poor management interface.
- Improper change implemented; not managing appropriately the firewall change.
What Happens if the Change Goes Wrong?
- Legitimate traffic is blocked; service downtime for a business means financial and reputational losses. In the worst scenario, the entire network can be brought down.
- Malicious traffic is let in; security breaches mean data, financial and reputational losses.
- Performance can be degraded; this means affected productivity and business operations.
How to Make Sure a Firewall Change Does Not Go Wrong
Document it. Take into consideration every step from the firewall change process.
Documenting the Change
A critical part in dealing with firewall changes is to have workflows and policies for processing change requests.
Managing a change request; part of a firewall change documentation process:
- Is the change necessary - what does this change mean?
For example: it improves security, it’s needed to allow legit traffic, it’s part of a cleaning/simplifying firewall rules strategy, it’s needed for compliance.
- Understand the impact of the change over the traffic flow and applications - which connections or applications may be affected, can it expose any applications that are vulnerable to some attacks, does it place any additional load on the firewall and hence can affect its performance.
- Understand the associated business risk - can the change affect some of the critical services of a business and thus affect the business’ operations?
- Change control - who requests the change, how is tracked the change process, who approves the change, who tests and validates the change, who implements the change, who reviews and monitors the change.
- The steps needed to implement the change - what needs to be modified on the firewall, when the change will occur, if notifications need to be sent prior and after implementing the change.
- Backup plan - backup the current config. The firewall must have at least a simple “restore from backup” function enabling you to quickly revert back after an improper change.
Making Emergency Changes
Sometimes an immediate change is needed, for example as a response to an attack against a critical service. In this case, often best judgment is used to implement the change skipping the normal documented steps. Make sure you have appropriate personnel that can manage such a situation otherwise in the rush to stop the bad guys, you can bring your own network or services down.
Following a few simple steps and properly documenting a firewall change ensures business operations continuity and keeps the bad guys out of your network.