Strategic Firewall Policy Management

By Christophe Briguet, Exaprotect |  Security, change management, firewall management

Managing firewall rule sets and policies is a complex and messy business. Simply following a few best practices can go a long way to simplify your life, cut costs, and improve security.

When it comes to much discussed IT topics, this one certainly doesn’t make the list – but it should. In fact, it’s one of the most manually intensive, costly aspects of managing almost any network infrastructure and requires a high level of expertise to get right. Furthermore, make a single mistake and applications get cut off, transactions don’t get processed, and management consoles quickly go from green to red. We’re talking about firewall management.

While the average firewall holds thousands of rules, more complex environments may hold ten times that many. Because of this complexity, most organizations make what should be a simple firewall change and then hope for the best—that applications and remote offices don’t get cut off and that customer transactions continue to flow. Unfortunately, it doesn’t matter which firewall vendor you choose — Cisco, Juniper, CheckPoint, Fortinet, IBM/ISS Linux, or Nortel — these management complexities are true across the board. When talking to customers, we found that it takes, on average, about 3 hours of testing and analysis to implement a single rule change. Multiply that by 2-3 regular firewall changes a day for a small company to tens of changes a day for larger enterprises. Then, multiply that by five, ten, or 100 actual firewalls and you begin to see the magnitude of the management burden we’re talking about.

What organizations need to do to attain a high-level of efficiency and slash the cost of firewall management is to put into place several best practices that make it possible to quickly review, model, and test any firewall changes before they’re implemented.

Unfortunately, that’s easier written than put into practice. First, it’s a challenge to keep the network expertise necessary for successful, long-term, sustainable firewall management. Employees naturally shift positions and job roles as they’re promoted or leave the company. And as they leave, so does their understanding of the complex matrix of firewall rules. And the older your network, the more challenging this becomes as years of firewall rules layer on top of one another.

These challenges are steep enough, even in a company that has managed to put into place good change control procedures — but most companies don’t have that luxury. They have different network segments using firewalls from different vendors and they’re rushed to make changes to solve the business need of the day. This complexity is amplified by different geographic regions and divisions managing their networks in their own way. Even companies that do have good change management procedures in place find that they expend too much labor getting there, and make too many mistakes that jeopardize both availability and security.

Here are the best practices that will help you streamline your firewall management:

Best Practice #1: Accurate Topology. The first step is to get a clear picture of your network by creating an accurate representation of your network topology. While this used to be a challenge, many tools are available today that actually will automate much of this task. As the old business maxim goes, you can’t manage what you can’t measure. You need to take these snapshots often.

Best Practice #2: Centralized Rule Management. Whether it’s a change management database or a tool designed specifically to manage firewall rules centrally, you need a “single source of truth” where all of your rule sets are stored and managed. This not only simplifies their management, but also protects against employees leaving and taking your policy configuration expertise with them. With this repository in place, you’ll also be assured that you’re implementing all of your firewall policies consistently throughout the organization.

Best Practice #3: Test Before Implementing. To avert potential business downtime, have a rigorous and meticulous change-request and review process in place. Each change needs to be scrutinized to determine what business applications and processes are dependent on the rule to ensure there’s no disruption of service once implemented. Ideally, for this step, you should consider using modeling software that will enable you to test these changes in a staged environment, before they’re made on production systems. Some of these modeling systems today enabler users to translate high level business policy change requests into device-level instructions that provide a simple representation of complex policies and networks. The goal is to simplify complexity, and strip out human error.

Don’t think of these best practices as one-time events. Rather, these need to be viewed as a continuous set of processes for network and application discovery and firewall rule management. Because of their complexity, rule changes can’t be tested adequately in the lab. When testing a new rule change, your network becomes vulnerable. It’s like a balancing act without a safety net, until the rule is verified as correct. So, before any proposed network changes are set, they need to be tested as realistically as possible, so network administrators can spot potential trouble areas.

Managing and modeling your network firewalls rules in this way brings a tremendous number of benefits. First, by streamlining the time-consuming and often error-prone processes, from an estimated 30 hours a day to a few minutes, small teams now can manage a vast number of firewalls, no matter how many different vendors’ products are used in their network. What’s more, application availability is improved, and costly mistakes that freeze transactions nearly are eliminated.

Finally, the primary reasons all of those firewalls were installed in the first place are greatly enhanced: security and compliance. When new attacks surface, and they always do, it’s much more straightforward to make on-the-fly firewall changes to block or at least mitigate the risk of the attack — without the worry of affecting the network negatively. And with today’s rapidly moving threats, organizations no longer have the luxury of days or weeks to push out changes needed to secure applications. These changes need to be completed accurately within minutes. The only way to get there is to have these best practices in place, and model and test any and all changes to your firewall rule sets. It will cut your infrastructure management costs dramatically, and even heighten your security along the way.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Ask a Question