Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Guarding the Guards

Firewalls are a standard component of an organization's security strategy. As such, they should be properly configured to block unwanted activity and routinely tested to ensure they're operating as intended.

However, even a midsize organization may have a large number of firewalls at different points of the network, including the perimeter, various network segments, and branch and remote offices. Keeping track of configurations and changes is time-consuming, tedious, and often ignored.

InformationWeek Reports

That's a problem. For one, a misconfiguration can open unintended holes in the company's defenses. For another, requirements such as PCI section 1.1.6 compel organizations to routinely audit and test firewalls. Failure to meet these requirements can result in fines and other penalties.

A class of products exists to help staff assess and manage firewall configurations to ensure they meet corporate security policies. Some of these products also can help optimize configurations by identifying redundant or unsafe rules, and a few can provide visual maps of how traffic travels through the organization.

Organizations that invest in a firewall configuration management product can reduce the amount of time administrators spend trying to manage and audit configurations, meet compliance obligations, and be confident that their firewall policies are actually serving their intended purpose: to manage risk.

Note, however, these software products don't know the business justifications for all the rules. For instance, a rule that's only used once a quarter may be flagged by the firewall management software. However, this rule may be for the finance department's quarterly closeout activities and shouldn't be removed. These products are no substitute for administrators' knowledge and insight.

Check The Rules

Each product in this market starts with firewall rule auditing. This is a base capability; from here, some vendors add the ability to audit other network devices and build maps of communication pathways and threat visualization. As you add features, the price goes up.

Algosec's Firewall Analyzer lets administrators test potential configurations before making actual changes to a firewall rule set. This way, administrators can see how the changes might affect the security of the network without the risk of opening holes or disrupting business traffic.

Athena Security's FirePAC product lets administrators query all the rules in a firewall configuration to see which network services can reach a target IP address. It can also find duplicate or redundant rules.

RedSeal's Network Analyzer associates vulnerabilities from Qualys and other vulnerability scanners with systems or network segments, visually maps network paths, and combines the two data sets to provide insight into where attackers could travel after compromising a system. RedSeal analyzes not just firewall configurations but switches, routers, and load balancers to provide a visual map of the network.

How IT Can Ace Vulnerability Management
Vulnerability management doesn't stop at finding flaws in operating systems and applications. This report offers step-by-step recommendations to ensure no new weaknesses find their way to your network.

FireMon from Secure Passage provides robust assessment capabilities. It separates duties between those assessing the firewalls and those with permissions to make changes. This is a useful feature as many organizations require a separate group, such as a network operations team, to actually make changes to network devices.

Skybox Security's Firewall Compliance Auditor supports a variety of firewalls out of the box. It can also work with unsupported firewalls through an API. This is useful if you have older or open source devices. Skybox also analyzes configurations from firewalls, routers, switches, and load balancers.

Tufin's Secure Track product analyzes firewall rule utilization. Tufin can show administrators which rules aren't used, which are highly used, and whether the configuration includes duplicate or overlapping rules. This feature lets firewall administrators optimize the firewall for better performance.

Tufin also presents its analysis in the format and conventions used by the firewall it's analyzing. For instance, if an administrator is reviewing policies on Check Point firewalls, the analysis is presented in a format that Check Point users will be comfortable with. This feature is available for a variety of firewall vendors.

Vendor Product Installation Supported Devices
Algosec Firewall Analyzer Software Firewalls, routers
Athena Security FirePAC Software Firewalls
RedSeal Network Analyzer Software or appliance Firewalls, switches, routers, load balancers
Secure Passage FireMon Software or appliance Firewalls, Cisco routers and switches
Skybox Security Firewall Compliance Auditor Software or appliance Firewalls, routers and switches, load balancers
Tufin Secure Track Software, appliance or virtual appliance Firewalls, routers and switches, load balancers

  • 1