Automating Firewall Administration
It's time to delegate the manual process of firewall policy changes to software intelligence.
February 1, 2016
Humans have their limits. Take, for example, the possibility for human error when we do highly repetitive manual tasks. And we are not nearly as good at cleaning things up after they're no longer needed as we are at building new things. Ask any enterprise about its firewall ACLs and you’ll likely hear about how afraid the admins are of touching them.
There are plenty of examples of how technology has evolved to accommodate human limitations. For one, the first version of the Internet was built on static routes, but as it grew more dynamic, people quickly realized that having humans reprogram the static routes when things fail or change was not sustainable.
But security has not evolved in a similar way. When a policy about what is allowed or denied changes, firewall administrators take out their secret network decoder rings, convert the policy change from human-understandable language into IP addresses, and update the firewall configuration. As the frequency of these changes grows, more humans with secret network decoder rings are thrown in to handle the changes.
In today’s dynamic and distributed data centers, both the number of firewall rules and the rate of change have spiked so high that the people with the secret network decoder rings are having a hard time keeping up. For example, as application developers move faster and faster, security teams are not able to keep up with the rate of change. The security teams, therefore, either slow the application teams down and get a lot of heat in return, or end up compromising on security by making an error in a hurry or by making a sub-optimal security choice in order to move fast -- and get hacked because of it.
It’s time to hand this manual security translation over to software intelligence that's designed to scale with computing demand. It’s time we let people focus on the high-level policies expressed to the machines in natural language (e.g., “allow the web workloads of my ERP application in production to talk to the database workloads of the same application”) and let the software intelligence turn these policies into the language of the network and IPs.
When IP addresses change, new workloads show up, or existing workloads are decommissioned, the software could recalculate the security policies for those workloads and reprogram them automatically without getting the people involved. This will allow people to move forward with the speed and efficiency of a superhero while still maintaining a tight security posture.
Note that this is quite different from orchestration systems that manage firewall rules. Those are the equivalent of scripts and tools allowing people to reprogram the static routes on multiple routers. The key difference is in what people have to deal with. With the right solution, people will never again have to speak the language of IP addresses and VLANs. Instead, they would only focus on the language of the application, letting the software intelligence translate that into the language of the network 24x7x365, without making any mistakes.
There are several examples of how letting software intelligence handle the repetitive jobs are helping, or will help, us improve the world we live in. Letting the software intelligence drive a car will save human lives; once we get the algorithms right, self-driving cars will be safer than human drivers since they won’t drink, do drugs, text, or sleep while driving. Uber is improving public transportation by letting software do what humans do in taxi dispatch call centers. Wealthfront and Betterment are moving the investing to software via smart algorithms.
It would have been impossible for us to build the current Internet without delegating the responsibility of dealing with changes to software and machines. We are soon reaching a point where it will be impossible for us to keep our infrastructure secure without delegating the responsibility of translating the security from the language that humans speak to the language the network understands.
Mukesh Gupta is director of product management for Illumio. A seasoned product management leader with 15 years of experience in enterprise security, Mukesh drives the software strategy and roadmap for the Illumio Adaptive Security Platform, the company’s flagship product.
Read more about:
2016About the Author
You May Also Like