I am investigating a product that promises to ease multivendor firewall management, but I find it hard to believe that it's possible to write one rule set that can be applied to multiple vendors' firewalls without exceptions or failures. What's your take on the maturity of multivendor firewall management technology?
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
When it comes to firewall management, being able to make changes both across the board and to an individual firewall is important. In the long run, most firewalls pretty much do the same function, but in a slightly different manner. When you add next-generation firewalls (NGFWs) into the mix, you have a completely different beast to think about.
Most of the multivendor firewall management software products I've seen promise to ease the difficulties posed by a few key problems that come with managing firewalls made by more than one vendor, specifically by doing the following:
- Analyzing the rule base to verify regulatory compliance
- Determining which rules on the firewalls can be cleaned by running discoveries against the firewalls
- Monitoring and recording what changes were made to the rule base, and
- Converting rule bases from one vendor to another
There are some systems that allow you to create a single dashboard for all of your network devices and offer the ability to log in to them and make changes. However, I'm not aware of systems that allow you to push a firewall change to multiple, disparate vendors with a single command. It's possible that there are such vendors, but I'd be curious as to how they deal with the different methods of pushing rules to disparate vendors, especially when NGFWs are involved. Now that firewall vendors are moving away from the typical quintuple method of analyzing packets and moving into application and behavior analysis, pushing a rule isn't always a cookie-cutter approach, especially between vendors.
On the other hand, if you're running many different instances of the same firewall platform in your enterprise, most vendors provide a management system capable of pushing rules to each of those devices from a centralized management package. In addition to providing you with a convenient way to manage the firewall rules, this approach also allows you to monitor the devices centrally.
In my opinion, having a firewall management product that allows you to perform the functions that I mentioned earlier is well worth the money, but having a system that will push standardized rules to multiple, disparate firewalls is somewhat worrying.
This was first published in March 2013