As properly configured access control systems, firewalls are an invaluable layer in a comprehensive security design....
The catch, of course, is the phrase "properly configured." Most firewall configurations begin simple and secure, but grow more complex and ineffectual over time. In this article, I discuss reasons for these problems, and how to choose a firewall management solution to keep clients' firewalls effective and manageable.
There are three primary culprits that contribute to firewall configuration complexity:
The 'fix-it-now' mentality
As help desk calls concerning unknown applications and protocols begin piling up, it is easier for overtaxed firewall administrators to resolve problems with "shot-gun" approaches such as adding rules allowing "Any" sources or protocols.
Managing firewalls from different vendors can seriously amplify an administrator's workload. Often concepts do not translate from vendor to vendor, and those concepts that do are implemented in ways so differing, you begin to wonder if it was done on purpose.
Tactical vs. strategic effects
Short-term fixes lead to lengthy rule base configurations and duplicate or orphaned rules, and over permissive policies. Without effective management tools firewalls lose their strategic place within the security infrastructure.
How can you help your clients tackle these problems? Typically, firewall management approaches fall into one of three categories:
Homegrown / open source
The do-it-yourself approach to firewall management can be both inexpensive and effective if you have the expertise and are not afraid of a little work. However, lack of a comprehensive open source project to manage both configuration and reporting, and limited vendor integrations are significant drawbacks.
Most of the larger firewall vendors (Check Point, Cisco, Juniper, etc.) have centralized firewall management systems offering configuration, logging and historical reporting. The strengths and features of the systems vary widely with each vendor, but the common weakness is that each system only supports that vendor's firewall.
A few companies have introduced products aimed at cross platform firewall management and monitoring. For example, the SecureTrack product from Tufin Technologies allows auditing rule base changes on multiple firewalls. Third-party products can offer more management features and broader support than management tools from firewall vendors.
The best choice for your client will be dictated by the number and type of firewalls deployed, as well as the feature set you need in order to effectively manage the firewalls. Here are some things to consider when choosing an effective solution – be it open source or a third-party product:
Obviously, the solution needs to support your client's current firewall vendors, but you should look for or build a solution that supports many firewall vendors in the same range as the client's current deployment. You never know when your client's environment will change. A management tool that supports changing infrastructures is invaluable.
Best practices analysis
Firewall vendors implement technology in different ways, but best practices, such as denying all traffic not explicitly allowed and logging suspicious activity, are universally accepted, and should be implemented and monitored across all firewalls in any firewall management solution.
Pre-built or "canned" reporting quickly produces reports with general information, but also look for the ability to define reports on all information collected. This level of granularity is imperative for reporting on unusual patterns or specific incident scenarios.
Firewalls require careful configuration and monitoring to remain effective. The tools and approaches mentioned here can greatly enhance the management and security of your client's first line of network defense.
About the author
Chris Clements is a security architect for Flat Earth Networking Inc., a dedicated information security company based in Nashville, Tenn. Over the past six years, Chris has dedicated himself to every facet of information security. As a result, he has expertise in numerous security systems, security policy, vulnerability assessment and business case analysis. In January of 2007, Chris was chosen by Flat Earth Networking to launch a consulting offering including research, design, auditing and education for the Fortune 1000 customer market.