As businesses’ IT environments expand with remote teams and new cloud services, firewall management has become more vital and complex. But how much of an opportunity does it represent for your business?
Chris Crellin, Senior Director of Product Management, Barracuda MSP, responds to timely questions, giving managed services providers (MSPs) and value-added resellers (VARs) a snapshot of how firewalls are being managed, tips for how to educate your clients and prospects on their need for more effective solutions, and important trends to factor into your planning.
Do businesses struggle with firewall configurations that balance security with legitimate traffic?
Crellin: Definitely, even if businesses might only realize it later. Let’s face it – IT departments are doing their best to support business processes in today’s world of dependence on Software as a Service (SaaS) applications, internet-based office suites and file sharing. But, unfortunately, this often means, knowingly or unknowingly, putting security precautions aside. All of this is exacerbated by the move to the cloud. To tackle this problem, there is even a whole new product category to help automate security policy compliance: Cloud Security Posture Management.
What other facets of firewall management do businesses have trouble managing?
Crellin: First, the sheer size of services today’s companies use. The company network was comparatively simple and easy when the stateful inspection firewall was invented. There was the “inside” and the “outside.” Inside was safe as applications were generally hosted in a subnet called the DMZ, accessible by all networks. The outside was considered potentially harmful, and any traffic originating from the exterior was either blocked from the beginning or carefully checked by the firewall with built-in IPS, anti-malware, and known bad IPS filters.
This model is entirely obsolete with the advent of cloud and SaaS applications. According to a survey by Blissfully, a small 18-person company, for example, uses up to 81 different cloud-hosted or SaaS-based applications, translating to more than 400 unique connections to the internet for company work.
The time when next-generation firewalls were invented to control and sanction the use of application traffic is over too. Today, it is about providing enough bandwidth for a good user experience and blocking credential theft by advanced phishing, smashing, and other attacks. As a result, malware dissemination via the internet has gone down 100-fold, while credential theft attacks have increased exponentially. See the Google transparency report.
Do businesses have internal resources that are skilled enough to manage firewalls on their own?
Crellin: Even the most experienced firewall administrators can make honest mistakes. You’ll never know where things stand until you have the proper visibility and understanding of the network and applications. As networks become more complex and firewall rule sets continue to grow, it is increasingly difficult to identify and quantify the risk introduced by misconfigured or overly permissive firewall rules.
The major contributor to firewall policy risks is the lack of understanding of what the firewall is doing at any given time. Even if traffic flows and applications are working, it doesn’t mean you don’t have unnecessary exposure. IT and network security professionals are continually thinking about the choices they’re making today and the resulting risks those choices can create moving forward. As a result, everything you and your team do with your firewall policies moves your network toward better security or increased risks. To help with this process, there are new tools for Firewall Policy Management.
The truth is that many small to mid-sized companies often neither have the budget nor the resources to deal with these challenges properly. The smarter ones outsource these tasks to a Firewall as a Service (FWaaS) offering or a managed security service provider (MSSP).
What’s the best way to demonstrate to a prospect that their company’s firewall may be misconfigured?
Crellin: This dramatically varies because there is no one and only way, as this significantly depends on the company and type of traffic. In general, the more firewall rules, the more likely a misconfiguration is in place. Most next-generation firewall providers include simulation tools, also known as rule testers, that show the usage of a rule, for example, if a rule has been in use over a certain period. You’ll most often find rules that haven’t been in use, and nobody wants to touch them because nobody knows if they might be needed.
How can MSPs build a firewall management offering with a solid value proposition?
Crellin: There are many security solutions out there claiming to be the easiest to use or the most secure, the most automated, the most anything. Narrow your portfolio to a few solutions or tools that allow you to provide the services you want and keep close contact with the technology provider. Make sure the technology is operable on an API basis, keep your staff trained to ensure efficient usage of these tools and automate as much as possible. For example, zero-touch deployment enables direct shipment to the end customer to plug in the appliance himself, and it auto-configures, which saves a lot on travel costs. Devices that are only accessible via web UI might be hard to diagnose, so make sure to have alternative access or the ability to pull logs on an automated basis. Start by offering a teaser service with upgrade potential. For example, a managed firewall that can also run SD-WAN, URL filtering, bandwidth optimization or act as a cloud proxy for Zero Trust Networking.
How much demand for firewall management do you predict in the next 1 or 2 years?
Crellin: Firewalls have been with us shortly after networking and the internet appeared. New technologies typically merge into the firewall (i.e., IPS, Application Awareness, Sandboxing, SD-WAN), and there is no sign that the firewall, or the need to manage the firewall, will go away. It might, however, morph and look differently. The more workloads you put into the cloud, or if SASE offerings become part of the equation, you might no longer manage a physical box in your company’s data center or edge. But, with a cloud service or microservice, the inherent problems will be mostly similar.
What advice can you offer MSPs offering firewall management services?
Crellin: Start with as few technology providers as possible. Also, ensure the technology is stackable, i.e., additional functions can be activated after deployment. For example, automated reporting is an excellent way to provide incremental services and drive revenue. Once set up, it’s easy to maintain and becomes a viable cash flow generator. Also, don’t forget the public cloud. Regardless of company size, everybody already has something in the cloud or will most likely shortly. Finally, ensure you can answer your customers’ questions about cloud security, availability and performance of cloud-hosted applications. 
