Weighing access against risk

Companies must get back to evaluating risk levels in terms of network access and who has it, says Jody Brazil

Brazil: Security is about access

I recently spoke with a prospect who was calling to see how a firewall management tool could help them. Their main concern was the effect their policy was having on their firewall performance.

They explained that their PIX firewall policy contained more than 84,000 access control rules. Of course performance was a problem, but what about security?

"This is not a wall; at best it’s a screen door."

I tried to refocus the conversation to security, but performance was their primary concern.

So, I started thinking how I could better communicate the particular security concern with a policy permitting so much access.

Firewalls are designed to control access between networks, using a ‘positive security model’, simply meaning they are designed to deny all access that is not permitted by the administrator. This means that adding rules to a firewall set-up is deciding to permit more access and accepting some additional risk.

The most secure host or network would be one where there was no access. But without access, you cannot do anything.

The more access you permit, the more risk increases by a factor of the threat posed by the connecting network. There will be a sharp increase in risk once any access is granted, and a steady rise in risk as more and more access is permitted.

As it relates to the firewall, every rule that permits access also increases risk to some degree. Excessive access (not needed for any intended purpose) means unnecessary risk.

Clearly, removing this excessive access represents low-hanging fruit of risk reduction opportunities.

The focus needs to get back to evaluating risk versus access to make the firewall a more effective security device in the network.

Jody Brazil is president and CTO of Secure Passage