TechWeb

Guarding the Guards

Oct 23, 2009 (08:10 PM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=220900170


Firewalls are a standard component of an organization's security strategy. As such, they should be properly configured to block unwanted activity and routinely tested to ensure they're operating as intended.

However, even a midsize organization may have a large number of firewalls at different points of the network, including the perimeter, various network segments, and branch and remote offices. Keeping track of configurations and changes is time-consuming, tedious, and often ignored.

InformationWeek Reports

That's a problem. For one, a misconfiguration can open unintended holes in the company's defenses. For another, requirements such as PCI section 1.1.6 compel organizations to routinely audit and test firewalls. Failure to meet these requirements can result in fines and other penalties.

A class of products exists to help staff assess and manage firewall configurations to ensure they meet corporate security policies. Some of these products also can help optimize configurations by identifying redundant or unsafe rules, and a few can provide visual maps of how traffic travels through the organization.

Organizations that invest in a firewall configuration management product can reduce the amount of time administrators spend trying to manage and audit configurations, meet compliance obligations, and be confident that their firewall policies are actually serving their intended purpose: to manage risk.

Note, however, these software products don't know the business justifications for all the rules. For instance, a rule that's only used once a quarter may be flagged by the firewall management software. However, this rule may be for the finance department's quarterly closeout activities and shouldn't be removed. These products are no substitute for administrators' knowledge and insight.

Check The Rules

Each product in this market starts with firewall rule auditing. This is a base capability; from here, some vendors add the ability to audit other network devices and build maps of communication pathways and threat visualization. As you add features, the price goes up.

Algosec's Firewall Analyzer lets administrators test potential configurations before making actual changes to a firewall rule set. This way, administrators can see how the changes might affect the security of the network without the risk of opening holes or disrupting business traffic.

Athena Security's FirePAC product lets administrators query all the rules in a firewall configuration to see which network services can reach a target IP address. It can also find duplicate or redundant rules.

RedSeal's Network Analyzer associates vulnerabilities from Qualys and other vulnerability scanners with systems or network segments, visually maps network paths, and combines the two data sets to provide insight into where attackers could travel after compromising a system. RedSeal analyzes not just firewall configurations but switches, routers, and load balancers to provide a visual map of the network.

DIG DEEPER
How IT Can Ace Vulnerability Management
Vulnerability management doesn't stop at finding flaws in operating systems and applications. This report offers step-by-step recommendations to ensure no new weaknesses find their way to your network.
FireMon from Secure Passage provides robust assessment capabilities. It separates duties between those assessing the firewalls and those with permissions to make changes. This is a useful feature as many organizations require a separate group, such as a network operations team, to actually make changes to network devices.

Skybox Security's Firewall Compliance Auditor supports a variety of firewalls out of the box. It can also work with unsupported firewalls through an API. This is useful if you have older or open source devices. Skybox also analyzes configurations from firewalls, routers, switches, and load balancers.

Tufin's Secure Track product analyzes firewall rule utilization. Tufin can show administrators which rules aren't used, which are highly used, and whether the configuration includes duplicate or overlapping rules. This feature lets firewall administrators optimize the firewall for better performance.

Tufin also presents its analysis in the format and conventions used by the firewall it's analyzing. For instance, if an administrator is reviewing policies on Check Point firewalls, the analysis is presented in a format that Check Point users will be comfortable with. This feature is available for a variety of firewall vendors.

FIREWALL MANAGEMENT OPTIONS
Vendor Product Installation Supported Devices
Algosec Firewall Analyzer Software Firewalls, routers
Athena Security FirePAC Software Firewalls
RedSeal Network Analyzer Software or appliance Firewalls, switches, routers, load balancers
Secure Passage FireMon Software or appliance Firewalls, Cisco routers and switches
Skybox Security Firewall Compliance Auditor Software or appliance Firewalls, routers and switches, load balancers
Tufin Secure Track Software, appliance or virtual appliance Firewalls, routers and switches, load balancers




Make Your Choice

Products are available as software or appliances. The products either connect directly to devices and import the rules, or process the rules from a file share. Obviously, grabbing the rules from the device provides the best real-time results, but if performance is a concern or if rules change daily, a file share makes more sense. In addition, the network operations group may not allow a security administrator to connect directly to their devices.

Depending on the size of the network and the capacity of the product, a single software deployment or appliance may be sufficient to monitor your organization's network. However, potential customers must ensure the product can scale.

For instance, Firemon can be installed with a master system that aggregates data from multiple collectors around the organization. Other products use one appliance or software installation to connect to all the devices.

The number of devices a single management system can handle depends on several factors, including the complexity of configurations being processed and the number of devices. For instance, 100 devices with fairly simple rule sets will tax a firewall management device much less than 20 devices with configurations of 10,000 lines.

Potential customers should also pay attention to the reports these products generate. Managers always want the high-level analysis so they can understand (or think they understand) what's going on. Auditors want detailed records to assess the evolution of your security posture. Internal staff may just want to see what's required to get the job done. Report formats that meet the demands of different user groups should be a key criterion for products on your short list.

Our Take
FIREWALL MANAGEMENT TOOLS
Misconfigured firewalls can expose an organization to attack. Software is available to ensure firewall rules match security policies.
Configuration management tools also reduce the time administrators must spend tracking and maintaining the rules.
In addition to reducing exposure, these products can help organizations meet industry regulations such as PCI.
Some products also check configurations of switches, routers, and other network devices.
For advanced organizations and administrators, some products offer an API allowing an organization to extract data and harness the information in other applications or reporting formats. This allows correlation of data between multiple products to create a larger picture and report upon security as a whole and not isolated views.

All Fired Up

If your organization has multiple firewalls or a lot of rules or complex configurations, or if it undergoes a fair amount of auditing, you are the perfect candidate for one of these products.

Firewall management can help organizations better manage risks by providing greater visibility into how security policies are actually being translated into real-world traffic patterns and data flow.

Adam Ely is an information security consultant.