Norbert Pohlmann, a director at Internet security specialist Utimaco and author of a new book entitled Firewall Systems, said the mismanagement of software is putting firms at risk. "We recently found that only two of 50 firewalls at a leading Swiss bank were functioning as they should, while the rest were configured incorrectly," said Pohlmann. "IT managers still don't seem to understand the risks. They spend money on security products and fail to manage them. Companies need to understand security at a conceptual level to reduce risk, as there are so many threats out there such as viruses, hackers and so forth."
Pohlmann recommended that the management of security systems should only be carried out by trusted personnel or outsourced to specialists. "The deployment of [security products] requires that the users be trained properly," he said.
In a recent survey of 445 IT directors attending the IT Directors' Forum 2001, just under half said firms should appoint a dedicated digital security expert, compared with 31 percent who opposed this approach.
Analysts said IT managers find some products particularly difficult to configure and control, and manageability rather than price should be the main concern when buying a firewall product.
José López, lead analyst for European network security at industry watcher Frost & Sullivan, said, "IT managers should not base their choice of firewall on price, but should test products to find the right one for their organization. Firewalls are something you must get right from the beginning." López also criticised a number of manufacturers for their emphasis on functionality. "Some vendors focus on adding competitive capabilities to firewalls over ease of management," he said.
There are a number of security-policy management solutions available to simplify the provisioning and management of firewalls, switches and routers.