cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rlh
Viewer

Quantitative Security Metric for Firewalls

Hello,

 

I have been in IT Security for a number of years and I'm aware of multiple frameworks and standards representing security, but I'm struggling to find a usable method to provide a quantitative metric for the security posture of a firewall.

 

I would like to say "The firewall security is 96 % effective", for example ...

 

Is anyone aware of a mechanism to provide a meaningful and numeric representation to indicate the security effectiveness of a firewall ?

 

Thank you,

Rob.

 

 

3 Replies
ericgeater
Community Champion

Following.  I'll be interested to hear responses.

-----------
A claim is as good as its veracity.
JoePete
Advocate I


@rlh wrote:

I'm struggling to find a usable method to provide a quantitative metric for the security posture of a firewall. I would like to say "The firewall security is 96 % effective", for example ...


Interesting idea. What you might really be looking for is something like a "crossover error rate" where false accepts (traffic erroneously allowed) equal false rejects (traffic erroneously denied).  The lower the crossover rate the more "effective" the firewall. I haven't seen that metric used. What's the scenario you see? Something like content filtering?

 

Early_Adopter
Community Champion

One of the problems I think you have here is a firewall itself won’t really have a security posture. It’s got to be considered on the context of the network it’s in and the job that it does. It’s likely stateful, has rules that work north/south and east/west but that are opened an closed as part of an accountable, audited change control process. These days add ZTNA, MicroSeg, SDN, NIDS/NIPS all sitting on top of your routers, layer 3 switches and whatnot.

It will have anti malware/threat scanning, and application aware filtering/proxies and servers, containers etc tend to be quite predictable, but users are crazy so you need proxies, SSL decryption, isolation, sandboxes, deep packet inspection, Mail security, endpoint security, UEBA and a plethora of technologies all traversing our firewall and its multiple buddies helping to secure your network.

Pulling away from user land a little you might consider WAFs here as well as capabilities application developers can code in to help protect their application. If all your SQL is generated on box it’s hard to do injection…

The first metric I’d start with for a firewall given its potential exposure, is it’s over security design and hardening, has it got CVEs? Does the vendor fix them or let them go unpatched for too long?

All firewalls in enterprises also need central management and accounting - your rules must be updated and you need an immutable record of what happened.

I’ll bow out here…