Firewalls are a mature technology, right? Most companies have at least one, if not several. But over time, firewall rule bases tend to become large and complicated. Not long ago, 200-300 rules were considered excessive. Now, it’s not unusual for firewalls to have many hundreds or even thousands of rules, many of which were rendered obsolete when IT operations added new rules to meet business requests but neglected to remove any old ones.
Analysing configurations for a few firewalls, let alone hundreds, has grown beyond the capacity of human computation. That’s why a new class of products – several of which were tested earlier this month by Network World – are quickly rising in popularity to help network administrators catch misconfigurations, avoid conflicting rules, identify vulnerabilities and meet auditing and compliance mandates.
According to a May 2010 CSO article, “Firewall audit tools automate the otherwise all-but-impossible task of analysing complex and bloated rule sets to verify and demonstrate enterprise access controls and configuration change-management processes.”
But even if you only have a couple of firewalls, if they have been in place for even a couple of years, chances are they include rules that are either partially or completely unused, expired or overlap or “shadow” each other.
The problem gets worse if there have been multiple administrators making changes or if there are many firewalls in your organisation. When the rule base gets big and tangled, it starts to affect firewall performance. It is difficult to maintain, and it can conceal genuine security risks. And standards such as PCI-DSS require clean up of unused rules and objects.
Business efficiency and security may be the goals, but regulatory requirements frequently open up the budget. The firewall audit market, pegged by Forrester Research at $25 million (£15.7m) to $30 million (£18.9m) in 2009, is fueled by PCI DSS requirements to review firewall and router configurations every six months. These controls also typically come under scrutiny during internal, partner and other regulatory audits.
With the help of Tufin Technologies’ customers, I have put together a list of best practices for cleaning up a firewall (or router) rule base:
Enterprises exhaust countless man-hours analysing firewall and router configurations to produce audit reports, only to realise that they do not have a firm grasp on their network access controls and the change-management processes that enable them.
The Network World test lab gave the class of products as a whole a thumbs up. In addition to the core firewall rule base clean up and optimisation functions, some of the vendors, including Tufin, support a wide variety of switches and routers, which are prone to the same set of issues, and also automate the process for creating, testing, and implementing policy (aka rule) changes.
While compliance automation may be sufficient budget justification, firewall management tools also offer tangible business and operational benefits that go beyond audit woes.
Reuven Harrison is CTO of firewall management vendor Tufin Technologies
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…