Regulatory and industry requirements for controlling access to customer information and other critical data place a considerable burden on organizations to make sure their firewall rules and routing tables accurately implement policy.
But, firewalls are thick with hundreds, often thousands of rules, compiled over time. Some may be redundant or simply irrelevant; some may conflict with other rules, especially in hierarchies where, for example, firewall A has a rule allowing traffic, but firewall B, downstream blocks it. Large organizations often have a mix of firewall vendors -- typically Cisco Systems Inc., Check Point Software Technologies Ltd., and perhaps Juniper Networks Inc. -- each with their own formats and syntaxes.
That's where automated firewall management tools are looming larger for organizations that need to cut the job down to size. These tools from a handful of companies, such as AlgoSec Inc., which recently introduced Firewall Analyzer 5.0, Athena Security Inc., RedSeal Systems Inc., SkyBox Security Inc., Secure Passage LLC and Tufin Technologies Ltd., analyze and test firewalls and, in some cases, router configurations and log data. They verify what firewalls are actually doing and model proposed changes before they go live on your networks.
- Eric Ogren, Principal Analyst, Ogren Group
Making sure your firewalls are doing what they are supposed to do is no mean feat, especially in complex environments with tiers of firewalls -- and not only multiple vendors, but perhaps different administrators and different jurisdictions within the organization. Then you have to prove it all to the auditors.
"It's so hard to manually look at rules and figure out if you have a crack," said Eric Ogren, founder and principal analyst of Ogren Group. "You have to look at all possible connections, tighten them down, and then audit becomes a key."
"You need the satisfaction of knowing that you're infrastructure is configured securely, and today, that's just too difficult to do manually."
AlgoSec's latest release takes a significant step in this direction, adding the ability to analyze multiple firewalls in a hierarchy across the network, determining not only their individual rules and configurations, but also the dependencies between them.
"The security posture of an organization is realized by the collection of all these firewalls together, plus structure of the routing across the network, said Avishai Wool, AlgoSec CTO. "You can look at the whole picture and come up with an analysis."
Athena Security Inc. took its latest release the other way, introducing FirePac for analyzing and comparing policies and detecting anomalies on individual firewalls. Its first product, Verify, analyzes relationships between firewalls and network infrastructure. FirePac takes Verify's core capabilities down to the single firewall for smaller-scope projects.
Firewall management becomes critical in today's regulatory climate, in which you have to protect sensitive customer and financial data and prove it to auditors' satisfaction. In particular, PCI requires network segmentation to isolate back-end databases containing credit card information. Even in the absence of specific regulatory requirements, segmentation makes sense as a best practice to protect databases containing, for example, patient information for HIPAA compliance.
"Compliance is far and away the number one driver," said Ogren. "The whole principle of having zones of confidential data and being able to control access to, and audit and articulate that control is huge."
As this market matures, vendors are working to integrate their firewall configuration and analysis capabilities into enterprise management processes. Tufin Technologies recently added SecureChange Workflow, a companion to its flagship SecureTrack firewall analysis product. SecureChange automates change management, facilitates security processes, helps enforce separation of duties and carry necessary information throughout the change and approval process.
"A person who approves change needs a lot of information at his disposal," said Ruvi Kitov, Tufin CEO. "He needs to know what configuration change is needed, how it conforms to policy."
In addition to compliance, Ogren sees a couple of other strong drivers for this market. Data center consolidation is high on the list, as organizations leverage virtualization and high-bandwidth networks to reduce cost. Firewall management tools can help them plan and correct data path changes between users, applications and storage.
Also, mid-sized and large enterprises often have to deal with mixed-vendor environments, typically because of mergers and acquisitions, sometimes by choice. Products like AlgoSec's firewall analyzer now allow them to manage multiple firewalls across vendors.
AlgoSec's Wool said that firewall optimization -- cleaning up redundant and obsolete rules, etc.-- is becoming an important part of the purchasing decision.
"The main driver early on and until a couple of months ago, has been compliance with regulations like PCI and SOX," he said. "Now, cleanup projects, optimization projects are important."
Ogren, on the other hand, does not think firewall optimization is "niche-y," and is not an important reason for companies to adopt these tools.
"There's nothing wrong with it," he said. "But it just will be a priority for those who need to squeeze every last ounce of performance out of their firewalls to postpone an upgrade. It's kind of like cleaning out our email inbox or My Documents."