COLUMN

IT pros find corporate firewall rules tough to navigate

By Eric Ogren 15 Jun 2009 | SearchSecurity.co.UK Digg This!     StumbleUpon     Del.icio.us

Corporate firewalls usually contain a security-Pandora's box of rules, representing prioritized sequences of allow or deny decisions that only the most brave security operator dares to modify. Removing or re-sequencing firewall rules runs the risk of blocking approved business communications or of opening a hole exposing the business to unauthorized traffic.

It is near impossible for a human to manually audit firewall rules across the enterprise to reduce risk, optimize firewall device performance, and streamline data paths through routers, switches and firewalls. Security teams are turning to firewall management tools to perform security audits of the infrastructure and automate operational control of the firewalls.

The total annual market size for privately held firewall management vendors is well below $100 million, though the vendors are posting healthy year-over-year increases in their business. Companies providing firewall rules management include AlgoSec Inc., Athena Security Inc., Firemon, RedSeal Systems Inc., Secure Passage LLC, Skybox Security Inc. and Tufin Software Technologies Ltd. Firewall management software can help ease the burden since corporate networks are far too complex to navigate manually. Network administrators use tools to provide a roadmap of network flows to perform periodic security audits of the infrastructure, and to control the workflow of change to firewall rules to ensure consistency across the network.

When evaluating a firewall management vendor check out how they satisfy these primary requirements:

• Segment sensitive applications from general business traffic. For example, PCI mandates firewalls are configured to partition credit card processing systems from the rest of the network to prevent leakage of consumer data. Corporate policies also may dictate isolation of datacenters or network operating centers. IT needs to tightly configure the relationships between firewalls to allow only application data and to block all other access, and then periodically verify there has been no drift in the rules that would create a security risk.

• Implement workflow controls and operational processes to ensure consistency across the network. Security teams implementing process control over firewall rule changes are finding operational benefits in fewer service calls, less time to meet firewall service calls, quality improvements through peer reviews and approvals, and easier maintenance of a compliant state.

• Gain a consolidated business view across a multivendor firewall environment. Some firewalls have thousands of atomic-level rules while other vendors support fewer, more comprehensive rule sets. It may be challenging to rationalize the security policy expressed in rules across firewall devices from different vendors such as Check Point Systems Inc., Cisco Systems Inc. and Juniper Networks Inc.

• Improve network performance and effectiveness by coordinating firewalls, routers and switches. Every rule that needs to be checked in a firewall, router or switch adds latency. For instance, it is not uncommon for firewalls to contain rules that must be checked, even though an upstream router decision renders the firewall rules superfluous because the affected traffic can never reach the firewall. Organizations optimizing the performance of network devices need tools to compare the configurations of firewalls, routers and switches to identify rules that can be safely removed.

The firewall management vendors may tout that removing rules from firewalls provides a performance boost that also extends the life of the firewall device. However, most organizations prefer to buy a faster firewall device rather than run the risk of removing rules that turn out to be needed. The firewall management market may turn into technology that leverages network security audit services with product features shifting to operational workflow controls and diagnostic efficiencies. Enterprises with complex networks should use tools to check that firewall configuration rules are not creating security holes.

Tags: Threat and Vulnerability Management,  Endpoint and NAC Protection,  Security Policies and User Awareness,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Threat and Vulnerability Management Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 What to do with network penetration test results Endpoint and NAC Protection Considering two-factor authentication? Do cost, risk analysis Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Voice data security risks on the rise, say experts The value of booting from a VHD in Windows 7 Thin-client technologies surge thanks to easier security, says Deloitte A closer look at Internet Explorer 8 security features USB drive security best practices and processes First step in forensics: Create a bootable Windows environment CD Protecting enterprise networks from new mobile application downloads Four things to remember about server virtualization security concerns Security Policies and User Awareness Cloud-based services require stalwart business continuity plans Preventing phishing attacks: Enterprise best practices CISOs take measured steps to reduce social media risks Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Cut down on calls to help desk with cybersecurity awareness training Layoffs prompt insider threat fears, cybersecurity survey finds How to write an information security policy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary