This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."
Download it now to read this article plus other related content.
The problem is almost as old as the firewall: Keep your business safe without impeding operations; keep dangerous traffic out while making sure legitimate traffic moves freely and quickly. That's not always easy, especially in large, distributed enterprises.
Over time, hundreds of firewalls, often from multiple vendors, spawn thousands of rules, many redundant or obsolete. Performance degrades and the network may be at risk without your knowledge. Change management becomes a formidable challenge in this environment--testing the impact of new rules, making sure an apparently redundant rule is really redundant and an obsolete rule is never actually used.
"The process was manual, intensive and prone to error," says Dave Witherspoon, director of technical security and forensic services at Canadian-based Scotia Bank. "We lacked confidence cleaning up old rules, in case someone was still using them."
It doesn't have to be that way. Automated firewall configuration management tools from companies including AlgoSec, Secure Passage and Tufin Technologies allow organizations like Scotia Bank to weed out old and redundant rules without risk, and test new and modified rules before risking them in production.
"Change management is a rigid process at Scotia Bank. We have strict guidelines and practices," says Witherspoon, who has deployed AlgoSec's Firewall Analyzer on a number of Scotia Bank's core firewalls. "Now we have the ability to be proactive around change.
These products make good sense, both as business enablers and security tools. While regulatory compliance and security are important considerations, keeping business running smoothly may be the biggest incentive.
This was first published in October 2007