Firewalls are a mature technology, right? Most companies have at least one, if not several. But over time, firewall rule bases tend to become large and complicated. Not long ago, 200-300 rules were considered excessive. Now, it’s not unusual for firewalls to have many hundreds or even thousands of rules, many of which were rendered obsolete when IT operations added new rules to meet business requests but neglected to remove any old ones.
Analysing configurations for a few firewalls, let alone hundreds, has grown beyond the capacity of human computation. That’s why a new class of products – several of which were tested earlier this month by Network World – are quickly rising in popularity to help network administrators catch misconfigurations, avoid conflicting rules, identify vulnerabilities and meet auditing and compliance mandates.
According to a May 2010 CSO article, “Firewall audit tools automate the otherwise all-but-impossible task of analysing complex and bloated rule sets to verify and demonstrate enterprise access controls and configuration change-management processes.”
But even if you only have a couple of firewalls, if they have been in place for even a couple of years, chances are they include rules that are either partially or completely unused, expired or overlap or “shadow” each other.
The problem gets worse if there have been multiple administrators making changes or if there are many firewalls in your organisation. When the rule base gets big and tangled, it starts to affect firewall performance. It is difficult to maintain, and it can conceal genuine security risks. And standards such as PCI-DSS require clean up of unused rules and objects.
Business efficiency and security may be the goals, but regulatory requirements frequently open up the budget. The firewall audit market, pegged by Forrester Research at $25 million (£15.7m) to $30 million (£18.9m) in 2009, is fueled by PCI DSS requirements to review firewall and router configurations every six months. These controls also typically come under scrutiny during internal, partner and other regulatory audits.
With the help of Tufin Technologies’ customers, I have put together a list of best practices for cleaning up a firewall (or router) rule base:
Enterprises exhaust countless man-hours analysing firewall and router configurations to produce audit reports, only to realise that they do not have a firm grasp on their network access controls and the change-management processes that enable them.
The Network World test lab gave the class of products as a whole a thumbs up. In addition to the core firewall rule base clean up and optimisation functions, some of the vendors, including Tufin, support a wide variety of switches and routers, which are prone to the same set of issues, and also automate the process for creating, testing, and implementing policy (aka rule) changes.
While compliance automation may be sufficient budget justification, firewall management tools also offer tangible business and operational benefits that go beyond audit woes.
Reuven Harrison is CTO of firewall management vendor Tufin Technologies
CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation
Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…
Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…