The problem is almost as old as the firewall: Keep your business safe without impeding operations; keep dangerous traffic out while making sure legitimate traffic moves freely and quickly. That's not always easy, especially in large, distributed enterprises.
Over time, hundreds of firewalls, often from multiple vendors, spawn thousands of rules, many redundant or obsolete. Performance degrades and the network may be at risk without your knowledge. Change management becomes a formidable challenge in this environment--testing the impact of new rules, making sure an apparently redundant rule is really redundant and an obsolete rule is never actually used.
"The process was manual, intensive and prone to error," says Dave Witherspoon, director of technical security and forensic services at Canadian-based Scotia Bank. "We lacked confidence cleaning up old rules, in case someone was still using them."
It doesn't have to be that way. Automated firewall configuration management tools from companies including AlgoSec, Secure Passage and Tufin Technologies allow organizations like Scotia Bank to weed out old and redundant rules without risk, and test new and modified rules before risking them in production.
"Change management is a rigid process at Scotia Bank. We have strict guidelines and practices," says Witherspoon, who has deployed AlgoSec's Firewall Analyzer on a number of Scotia Bank's core firewalls. "Now we have the ability to be proactive around change. We've eliminated risk and freed resources."
These products make good sense, both as business enablers and security tools. While regulatory compliance and security are important considerations, keeping business running smoothly may be the biggest incentive.
"A lot of times customers are driven by recent events," says Ruvi Kitov, CEO of Tufin Technologies, maker of SecureTrack. "Business continuity is a stronger driver. A security incident often goes unreported, even within an organization, but it's tough to hide when customers can't reach you."
"The requirement comes from security, but operational benefits drive the purchase," says Jody Brazil, CTO for SecurePassage, which sells FireMon.
Brazil says the market for firewall management tools is growing rapidly. Tufin, he says, projects double revenue over last year, with similar growth expected in coming years. Most of the business for these products will come from large enterprises, which need to make sense of complex mazes of rules accumulated over time. Typically, they have multiple firewall vendors, often a result of mergers and acquisitions, but sometimes, as with Scotia Bank, by design. "It's good security," says Scotia's Witherspoon.
"We've seen significant improvement around performance, change and availability. We've eliminated redundant rules," he says. "It allows a firewall to do what a firewall is supposed to do."