In fact, according to Michael Hamelin, chief security architect with the security life cycle specialist, the preliminary results of the firm's annual survey show that IT is getting seriously stung in terms of cost and time when it comes to manually auditing and managing rule changes on firewalls – a process he says completely unnecessary.
The survey found that every second firewall admin is locating firewall rules that overlap or are redundant by manually inspecting the policy. Not only that this is very much time consuming , the human mind cannot calculate all the permutations that a machine can calculate in milliseconds.
This approach to policy remediation, he says, may have worked when DEC developed the first packet filters in 1988 and AT&T went on to develop stateful filtering technologies some two years later, but not any more.
“Those developments were, of course, more than 20 years ago, and firewall scripting - let alone policy technology - was in very much in its infancy. Even back in the early 1990s, however, some degree of automation was possible. And now here we are in 2011 and 50 per cent of admins are inspecting their firewall policies using a manual approach - this is an extraordinary waste of programming talents”, he explained.
Hamelin notes that, even though any networking novice will tell you that automated firewall policy analysis is now possible, the use of a manual approach is not only cumbersome and time-consuming, it also begs the question as to how accurate a manual analysis can be. People, he says, get tired and make mistakes while computers and programs do not.
According to the Tufin CSA, the findings of the research suggest that just 7% of organizations are taking a completely automated approach to their firewall audits, with ten times this level – 70% - either undertaking the process manually or - perhaps worse, not doing anything at all.
And yet, he adds, it doesn't have to be this way, as even a semi-automated approach to firewall policy analysis and auditing can pay dividends, since it allows IT security professionals to deal with more important tasks - and so minimise the time needed to conduct routine audits and allied firewall security processes.
In a previous survey of IT professionals in the summer of last year, Tufin found that almost 10% admitted to cheating to pass a firewall audit. This was largely down to a result of a lack of time or resources than any misguided intentions.
The irony of this survey, says the firm, is that the 2010 survey was actually an improvement on the previous year's results, which found twice as many respondents had cheated.
Of the 10% in the 2010 survey who admitted to cheating on an audit, half of them cited time restraints and 22 per cent cited resource constraints. 11% said that they didn't see the point of doing the audit and same volumes against had other reasons which they did not elaborate on.
“The preliminary results from this year's survey are arguably more interesting, as no-one can say that they have to complete a firewall policy analysis and audit manually because of lack of resources. There are plenty of solutions that can help automated the process, so there really is no excuse for this curious Luddite approach to enhancing the effectiveness of a network firewall”, said Hamelin.