Oct 23, 2009 (08:10 PM EDT)
Guarding the Guards
Read the Original Article at InformationWeek
Firewalls are a standard component of an organization's security strategy. As such, they should be properly configured to block unwanted activity and routinely tested to ensure they're operating as intended.
However, even a midsize organization may have a large number of firewalls at different points of the network, including the perimeter, various network segments, and branch and remote offices. Keeping track of configurations and changes is time-consuming, tedious, and often ignored.
That's a problem. For one, a misconfiguration can open unintended holes in the company's defenses. For another, requirements such as PCI section 1.1.6 compel organizations to routinely audit and test firewalls. Failure to meet these requirements can result in fines and other penalties.
A class of products exists to help staff assess and manage firewall configurations to ensure they meet corporate security policies. Some of these products also can help optimize configurations by identifying redundant or unsafe rules, and a few can provide visual maps of how traffic travels through the organization.
Organizations that invest in a firewall configuration management product can reduce the amount of time administrators spend trying to manage and audit configurations, meet compliance obligations, and be confident that their firewall policies are actually serving their intended purpose: to manage risk.
Note, however, these software products don't know the business justifications for all the rules. For instance, a rule that's only used once a quarter may be flagged by the firewall management software. However, this rule may be for the finance department's quarterly closeout activities and shouldn't be removed. These products are no substitute for administrators' knowledge and insight.
Check The Rules
Each product in this market starts with firewall rule auditing. This is a base capability; from here, some vendors add the ability to audit other network devices and build maps of communication pathways and threat visualization. As you add features, the price goes up.Algosec's Firewall Analyzer lets administrators test potential configurations before making actual changes to a firewall rule set. This way, administrators can see how the changes might affect the security of the network without the risk of opening holes or disrupting business traffic.
Athena Security's FirePAC product lets administrators query all the rules in a firewall configuration to see which network services can reach a target IP address. It can also find duplicate or redundant rules.
RedSeal's Network Analyzer associates vulnerabilities from Qualys and other vulnerability scanners with systems or network segments, visually maps network paths, and combines the two data sets to provide insight into where attackers could travel after compromising a system. RedSeal analyzes not just firewall configurations but switches, routers, and load balancers to provide a visual map of the network.
Skybox Security's Firewall Compliance Auditor supports a variety of firewalls out of the box. It can also work with unsupported firewalls through an API. This is useful if you have older or open source devices. Skybox also analyzes configurations from firewalls, routers, switches, and load balancers.
Tufin's Secure Track product analyzes firewall rule utilization. Tufin can show administrators which rules aren't used, which are highly used, and whether the configuration includes duplicate or overlapping rules. This feature lets firewall administrators optimize the firewall for better performance.
Tufin also presents its analysis in the format and conventions used by the firewall it's analyzing. For instance, if an administrator is reviewing policies on Check Point firewalls, the analysis is presented in a format that Check Point users will be comfortable with. This feature is available for a variety of firewall vendors.
Make Your Choice
Products are available as software or appliances. The products either connect directly to devices and import the rules, or process the rules from a file share. Obviously, grabbing the rules from the device provides the best real-time results, but if performance is a concern or if rules change daily, a file share makes more sense. In addition, the network operations group may not allow a security administrator to connect directly to their devices.
Depending on the size of the network and the capacity of the product, a single software deployment or appliance may be sufficient to monitor your organization's network. However, potential customers must ensure the product can scale.
For instance, Firemon can be installed with a master system that aggregates data from multiple collectors around the organization. Other products use one appliance or software installation to connect to all the devices.
The number of devices a single management system can handle depends on several factors, including the complexity of configurations being processed and the number of devices. For instance, 100 devices with fairly simple rule sets will tax a firewall management device much less than 20 devices with configurations of 10,000 lines.
Potential customers should also pay attention to the reports these products generate. Managers always want the high-level analysis so they can understand (or think they understand) what's going on. Auditors want detailed records to assess the evolution of your security posture. Internal staff may just want to see what's required to get the job done. Report formats that meet the demands of different user groups should be a key criterion for products on your short list.
All Fired Up
If your organization has multiple firewalls or a lot of rules or complex configurations, or if it undergoes a fair amount of auditing, you are the perfect candidate for one of these products.
Firewall management can help organizations better manage risks by providing greater visibility into how security policies are actually being translated into real-world traffic patterns and data flow.
Adam Ely is an information security consultant.