RSS
Email
Print
ShareSkybox Brings Firewall Management To The Masses
Posted by Andrew Conry-Murray on January 26, 2010
For busy IT and security administrators, firewalls are akin to the home attic--a lot of stuff accumulates in there over time, and you'd feel better if you cleaned it out, but who's got time? New software from Skybox Security aims to help mid-size shops stop making excuses. The software, called Skybox CertiFire, collects and analyzes firewall configurations to help ensure firewall rules match corporate security policies, spot critical gaps that could lead to trouble and eliminate redundant rules.
"Five years after you set up a firewall, it's got hundreds of rules, and no one knows why some of those rules where put there," says Gidi Cohen, CEO of Skybox Security. CertiFire is built for mid-market organizations, which Skybox describes as companies with one hundred or more employees and more than one firewall in place. The product works out of the box with firewalls from Check Point, Cisco Systems, Juniper Networks and Fortinet. The company says more firewalls are on the roadmap. CertiFire can connect directly to a firewall to ingest its rule set, or administrators can upload configuration files into CertiFire.
Once the configurations are loaded, the software analyzes them. The software compares actual rule sets against corporate policies to look for discrepancies. It will also highlight redundant rules or rules that conflict with one another. It also includes out-of-the-box compliance checks for programs such as PCI. The software can also help ensure that ongoing changes made to firewalls don't expose the organization to unintended risks that will adversely affect regular network service. Administrators can generate reports for internal use and to provide to auditors.
Unlike some competing firewall management products, including Skybox's own enterprise version, Firewall Compliance Auditor, CertiFire does not analyze configurations for other network devices such as switches or routers. It also doesn't integrate with help-desk ticketing systems. This might be a problem in larger organizations that have separate security and network groups, where change requests must follow a standard workflow, but given CertiFire's mid-market target audience, this probably won't be a deal-breaker for many shops.
CertiFire is available immediately. Pricing starts at $630 per firewall per/year for ten CertiFire licenses. The company also offers a 14-day free download for up to five firewalls to let potential customers try the software.
Comment by Smithwill on January 26, 2010 2:21 PM
Actually, I like to think of a firewall as part of network management process. And I like to think of my network as a living room of sorts. It should be a comfortable place where I can relax and engage in pleasantries and whatnot. If I need to do some serious reading, I can go into the living room and get the work done without disruption. I'm so familiar with this living room that if anything is the slightest out-of-place I notice it and can begin asking: why is this out-of-order? Who has been here? (cleaning person or ne'er-do-well) What's going on? Running a Firebox system may help answer some of these questions after the fact, but based on my viewing the demo I most definitely don't feel like I'm sitting in on comfy couch in my living room.
I am not a firewall geek but I do understand what one must address traffic-wise. A firewall analysis tool may be useful to identify NIST rule gaps though, ultimately, the firewall/IT managers must examine traffic flows and communications to determine if they are allowed or not. There will always be activities that are allowed to pass through the firewall. The point here is there is only so much visibility that a firewall or rule management system can provide. Somebody still has to look at the traffic and do diagnostics to know whether the rules are sound or not.
Analyze the rules if you'd like, but I'd rather get a comfortable chair and manage the network like I'm sitting in my living room. Believe it or not, this is my business philosophy and the reason behind why we created Congruity Inspector Software. True story! We really care about the over-burdened administrator and want to give them an easy process that makes their job easier. Call me sentimental or old fashioned. I just think of myself as a nice guy.
Reply to this comment