October 15, 2008, 2:53 PM — Managing firewall rule sets and policies is a complex and messy business. Simply following a few best practices can go a long way to simplify your life, cut costs, and improve security.
When it comes to much discussed IT topics, this one certainly doesnâ€™t make the list â€“ but it should. In fact, itâ€™s one of the most manually intensive, costly aspects of managing almost any network infrastructure and requires a high level of expertise to get right. Furthermore, make a single mistake and applications get cut off, transactions donâ€™t get processed, and management consoles quickly go from green to red. Weâ€™re talking about firewall management.
While the average firewall holds thousands of rules, more complex environments may hold ten times that many. Because of this complexity, most organizations make what should be a simple firewall change and then hope for the bestâ€”that applications and remote offices donâ€™t get cut off and that customer transactions continue to flow. Unfortunately, it doesnâ€™t matter which firewall vendor you choose â€” Cisco, Juniper, CheckPoint, Fortinet, IBM/ISS Linux, or Nortel â€” these management complexities are true across the board. When talking to customers, we found that it takes, on average, about 3 hours of testing and analysis to implement a single rule change. Multiply that by 2-3 regular firewall changes a day for a small company to tens of changes a day for larger enterprises. Then, multiply that by five, ten, or 100 actual firewalls and you begin to see the magnitude of the management burden weâ€™re talking about.
What organizations need to do to attain a high-level of efficiency and slash the cost of firewall management is to put into place several best practices that make it possible to quickly review, model, and test any firewall changes before theyâ€™re implemented.
Unfortunately, thatâ€™s easier written than put into practice. First, itâ€™s a challenge to keep the network expertise necessary for successful, long-term, sustainable firewall management. Employees naturally shift positions and job roles as theyâ€™re promoted or leave the company. And as they leave, so does their understanding of the complex matrix of firewall rules. And the older your network, the more challenging this becomes as years of firewall rules layer on top of one another.
These challenges are steep enough, even in a company that has managed to put into place good change control procedures â€” but most companies donâ€™t have that luxury. They have different network segments using firewalls from different vendors and theyâ€™re rushed to make changes to solve the business need of the day. This complexity is amplified by different geographic regions and divisions managing their networks in their own way. Even companies that do have good change management procedures in place find that they expend too much labor getting there, and make too many mistakes that jeopardize both availability and security.
Here are the best practices that will help you streamline your firewall management:
Best Practice #1: Accurate Topology. The first step is to get a clear picture of your network by creating an accurate representation of your network topology. While this used to be a challenge, many tools are available today that actually will automate much of this task. As the old business maxim goes, you canâ€™t manage what you canâ€™t measure. You need to take these snapshots often.
Best Practice #2: Centralized Rule Management. Whether itâ€™s a change management database or a tool designed specifically to manage firewall rules centrally, you need a â€œsingle source of truthâ€ where all of your rule sets are stored and managed. This not only simplifies their management, but also protects against employees leaving and taking your policy configuration expertise with them. With this repository in place, youâ€™ll also be assured that youâ€™re implementing all of your firewall policies consistently throughout the organization.
Best Practice #3: Test Before Implementing. To avert potential business downtime, have a rigorous and meticulous change-request and review process in place. Each change needs to be scrutinized to determine what business applications and processes are dependent on the rule to ensure thereâ€™s no disruption of service once implemented. Ideally, for this step, you should consider using modeling software that will enable you to test these changes in a staged environment, before theyâ€™re made on production systems. Some of these modeling systems today enabler users to translate high level business policy change requests into device-level instructions that provide a simple representation of complex policies and networks. The goal is to simplify complexity, and strip out human error.
Donâ€™t think of these best practices as one-time events. Rather, these need to be viewed as a continuous set of processes for network and application discovery and firewall rule management. Because of their complexity, rule changes canâ€™t be tested adequately in the lab. When testing a new rule change, your network becomes vulnerable. Itâ€™s like a balancing act without a safety net, until the rule is verified as correct. So, before any proposed network changes are set, they need to be tested as realistically as possible, so network administrators can spot potential trouble areas.
Managing and modeling your network firewalls rules in this way brings a tremendous number of benefits. First, by streamlining the time-consuming and often error-prone processes, from an estimated 30 hours a day to a few minutes, small teams now can manage a vast number of firewalls, no matter how many different vendorsâ€™ products are used in their network. Whatâ€™s more, application availability is improved, and costly mistakes that freeze transactions nearly are eliminated.
Finally, the primary reasons all of those firewalls were installed in the first place are greatly enhanced: security and compliance. When new attacks surface, and they always do, itâ€™s much more straightforward to make on-the-fly firewall changes to block or at least mitigate the risk of the attack â€” without the worry of affecting the network negatively. And with todayâ€™s rapidly moving threats, organizations no longer have the luxury of days or weeks to push out changes needed to secure applications. These changes need to be completed accurately within minutes. The only way to get there is to have these best practices in place, and model and test any and all changes to your firewall rule sets. It will cut your infrastructure management costs dramatically, and even heighten your security along the way.