Firewalls include software – do not forget to patch it!
Your firewall is not only hardware but also includes software for which security vulnerabilities are discovered. For those vulnerabilities the firewall vendors provide patches. To stay secure those patches have to be deployed.
A next generation firewall is heavily relying on software to provide security protection. This software is developed with security in mind and undergoes extensive verification. Although this is a good start there is, unfortunately, no process that can guarantee absence of vulnerabilities. This implies vulnerabilities are also discovered for firewall software – and for that matter also other network equipment.
Some may believe that this is a remote problem and it does not happen so frequently. Unfortunately, this is not true. Several hundred vulnerabilities for firewall software are discovered per year according to the Common Vulnerability Enumeration (CVE) database. The security exploit toolkit developed by the NSA, which was later stolen by ShadowBrokers, included weaponized exploits also for some major firewall manufacturer. In other words, something like “WannaCry” may happen for one of the most important security functionality an organization has.
This means we have a real problem at hand which we urgently need to address. Why is this not happening then? From the authors experience there are two dominant reasons:
Awareness and investment readiness is low: Many decision makers are not aware that their firewalls may have problems. Combined with the fact that the readiness to face the costs for a firewall upgrade is low. The IT department does not get the resources to perform patching. Not to speak of the eventually necessity to perform upgrades. The latter comes from the fact that a lot of organization are not renewing their firewalls as frequently as needed.
Firewall patching is complex and risky: A firewall controls the entire network traffic and if it does not work the traffic stops. This becomes worse by the fact that firewall upgrades are difficult to test and have, most likely, to be directly performed in the production environment where failure has immediate effect. Secondly, firewalls are more difficult to patch in a structured way. Frequently they are deployed redundantly (in other words several firewalls are sharing the traffic so that if one fails the other can take over). To update redundant equipment requires some extra planning and skill.
From this it becomes obvious what we have to do:
- Create awareness that firewalls require frequent updates
- Create a specific patch process for firewalls
- Be ready to invest in firewall modernization more frequently
As a small remark at the end the author wants to point out that ATEA’s partner organizations in the firewall field have and will launch some major patches around this time of the year.