Firewalls and access controls serve as the frontline of any organization’s cybersecurity posture. They serve to limit unauthorized access, limit lateral movement, and enforce segmentation. The upside is only as good as the data that supports them and that is exactly where a network inventory is important.
A network inventory is a thorough, living-log of every device, endpoint, and service connected to the network. It provides your firewall management and access control policy’s critical data that can elevate your organization’s capability to block breaches, enforce least privilege, and enable near real-time response to incidents.
This article will explore three ways in which the data in a network inventory can be used to elevate firewall rules, access control management, and an opportunity to address security gaps in complicated IT environments. The value is apparent, a hybrid cloud infrastructure or multi-national enterprise network as indicated by Slurp’it.
What’s Complex About Firewalls and Access Controls?
As environments grow and evolve in complexity, firewall configurations, and access policies are moving towards complex to ambiguous. The proliferation of cloud services, or the working from home trend of associating employee devices to work accounts and assigning many endpoints complicates whether we keep rules addressed and scoping intact.
A few examples of these challenges include:
- Stale or too broad firewall rules
- Inaccessible devices that have slipped through controls
- Inconsistent access permissions
- Incomplete segmentation policies
These issues increase risk exposure; Palo Alto Networks found in their 2023 state of cloud security study that “57% of enterprises had at least 1 misconfigured firewall that left an organization vulnerable to attack.”
What Is Network Inventory Data?
The data should be real-time and fine granularity about every asset and associated inclusion in your IT environment. The data would include:
- IP addresses and MAC addresses
- Device type and operating system
- User ownerships and associations
- Network segment and location
- Software versions and patched status
With visibility into these areas, security teams can quickly understand who and what is on the network at any given time – a critical first action to refining firewall and access rules as noted by Slurp’it.
So, which are the three ways network inventory can elevate firewall rule management
1. Identifying unprotected or unknown devices
A complete inventory will provide views of device access without existing firewall policies. With network inventory data, security teams are in a position to identify rogue devices, shadow IT, or misconfigured devices that could be accessing the environment by bypassing existing controls.
2. Automate access based on real-time context
We typically find that firewall rules are assigned based on lists of IP or subnets. In short order, these become stale. Integrating it brings the ability to see context metadata along with the device and surfing along with the ability to make enhanced decisions regarding their dynamic roles in user access, inclusive of department or type of device.
For example, devices owned/used by finance personnel, could be routed and assessed based on more strict rules or limited by specific applications.
3. Improving the De-provisioning of Old or Redundant Firewall Rules
Security staff can use your inventory data to spot former devices and services that are now outdated, obsolescent, or superfluous. This data can be related to follow up actions that will help optimize your rule set and eliminate superfluous devices.
4. Effectively Segmenting the Network
Micorsegmentation is based on the organization’s knowledge of the purpose, sensitivity, and interconnectivity of all assets. Inventory intelligence takes−even the targeted levels of segmentation−to be assured that sensitive systems are properly segmented and segmented to authorized personnel only.
5. Feeding Data into Firewall and Policy Management Platforms
Most firewall management systems now support an API feature that enables an update to your asset inventory to be driven into your organization’s firewall tools in real-time or asynchronously; effectively communicating that you have updated or pushed your inventory − which can lead to automated firewall rules and firewall rule modifications.
How Network Inventory Strengthens Access Controls?
Access control is getting the right people and devices to the right resources. Again−an understanding of inventory data is fundamental:
1. Enforcing Least Privileged Access
The solidified understanding allows for IT departments to restrict access to systems based upon asset ownership or use, usage tracking data, job function, location, and/or device posture. This diminishes exposure and tailors the operational attacker surface.
2. Helps Monitor Zero Trust Architectures
Zero Trust assumes at every opportunity you need to verify users but it also assumes the ability to understand assets, therefore, the inventory system will also provide insight in real-time regarding the assets when a user logins into a resource.
For example, if an end user were to log-in from a non-compliant device, it would likely throw up a roadblock or some other authentication steps.
3. Identifying Anomalous Access or Misconfiguration
Using inventory as the baseline in what is happening on each of the devices versus what is authorized access, ultimately makes the point about misaligned access. For example, if a marketing laptop suddenly begins to access a production database, it would appear askew and certainly justify alerting.
4. Pulling into Identity Access Managed systems
It adds an important intelligence to overall asset and user profiles which enhances IAM platforms with better tools for pairing device to user regarding access to each resource; and creating another very important piece for identifying or analyzing access via Slurp’it.
Best Practices in Connecting Network Inventory to Firewall and Access Controls
In order to maximize the potential benefit of inventory, organizations should:
- Utilize discovery tools to maintain a fresh and accurate inventory
- Tag devices with useful qualities and metadata to help identify goodwill with the device.
- Integrate or connect with AWS and/or IAM platforms via the API.
- Regularly review rule and permissions against the confirmed inventory.
- Always utilize continuous monitoring to track deviations, flags breaches, and track behavior changes.
Let’s see a real-world Example: rules optimized by inventory
A mid-sized provider of healthcare managed hundreds of firewall rules that were modeled and extended for reasons of competition across facilities. Like all organizations, over time, the access became increasingly more permissive, and they completely lost visibility of its connected devices, devoid of Slurp’it.
After implementing modern network inventory capability and application, the IT team combined the standard operational procedure of compiling all policies with rule optimizations for their firewalls:
- 15% of the rules had applicability to decommissioned systems.
- Multiple BYOD using multiple rules were accessing sensitive systems with no controls or segmentation.
- The identified users had redundant permissions needing fewer groups across individuals.
With the maximum decomposing insights, the team identified many opportunities to remove rules, tighten up BYOD access through segmentation, and even realized many firewall rules no longer matched the devices they are attempting to access and mitigate risk. After doing this task audit findings decreased, and other testing has found enhanced network resilience against internal threats. For additional information, connect with us here at Slurp’it!