For busy IT and security administrators, firewalls are akin to the home attic--a lot of stuff accumulates in there over time, and you'd feel better if you cleaned it out, but who's got time? New software from Skybox Security aims to help mid-size shops stop making excuses. The software, called Skybox CertiFire, collects and analyzes firewall configurations to help ensure firewall rules match corporate security policies, spot critical gaps that could lead to trouble and eliminate redundant rules.
"Five years after you set up a firewall, it's got hundreds of rules, and no one knows why some of those rules where put there," says Gidi Cohen, CEO of Skybox Security. CertiFire is built for mid-market organizations, which Skybox describes as companies with one hundred or more employees and more than one firewall in place. The product works out of the box with firewalls from Check Point, Cisco Systems, Juniper Networks and Fortinet. The company says more firewalls are on the roadmap. CertiFire can connect directly to a firewall to ingest its rule set, or administrators can upload configuration files into CertiFire.
Once the configurations are loaded, the software analyzes them. The software compares actual rule sets against corporate policies to look for discrepancies. It will also highlight redundant rules or rules that conflict with one another. It also includes out-of-the-box compliance checks for programs such as PCI. The software can also help ensure that ongoing changes made to firewalls don't expose the organization to unintended risks that will adversely affect regular network service. Administrators can generate reports for internal use and to provide to auditors.
Unlike some competing firewall management products, including Skybox's own enterprise version, Firewall Compliance Auditor, CertiFire does not analyze configurations for other network devices such as switches or routers. It also doesn't integrate with help-desk ticketing systems. This might be a problem in larger organizations that have separate security and network groups, where change requests must follow a standard workflow, but given CertiFire's mid-market target audience, this probably won't be a deal-breaker for many shops.
CertiFire is available immediately. Pricing starts at $630 per firewall per/year for ten CertiFire licenses. The company also offers a 14-day free download for up to five firewalls to let potential customers try the software.