Corporate firewalls usually contain a security-Pandora's box of rules, representing prioritized sequences of allow or deny decisions that only the most brave security operator dares to modify. Removing or re-sequencing firewall rules runs the risk of blocking approved business communications or of opening a hole exposing the business to unauthorized traffic.
It is near impossible for a human to manually audit firewall rules across the enterprise to reduce risk, optimize firewall device performance, and streamline data paths through routers, switches and firewalls. Security teams are turning to firewall management tools to perform security audits of the infrastructure and automate operational control of the firewalls.
The total annual market size for privately held firewall management vendors is well below $100 million, though the vendors are posting healthy year-over-year increases in their business. Companies providing firewall rules management include AlgoSec Inc., Athena Security Inc., Firemon, RedSeal Systems Inc., Secure Passage LLC, Skybox Security Inc. and Tufin Software Technologies Ltd. Firewall management software can help ease the burden since corporate networks are far too complex to navigate manually. Network administrators use tools to provide a roadmap of network flows to perform periodic security audits of the infrastructure, and to control the workflow of change to firewall rules to ensure consistency across the network.
When evaluating a firewall management vendor check out how they satisfy these primary requirements:
- Segment sensitive applications from general business traffic. For example, PCI mandates firewalls are configured to partition credit card processing systems from the rest of the network to prevent leakage of consumer data. Corporate policies also may dictate isolation of datacenters or network operating centers. IT needs to tightly configure the relationships between firewalls to allow only application data and to block all other access, and then periodically verify there has been no drift in the rules that would create a security risk.
- Implement workflow controls and operational processes to ensure consistency across the network. Security teams implementing process control over firewall rule changes are finding operational benefits in fewer service calls, less time to meet firewall service calls, quality improvements through peer reviews and approvals, and easier maintenance of a compliant state.
- Gain a consolidated business view across a multivendor firewall environment. Some firewalls have thousands of atomic-level rules while other vendors support fewer, more comprehensive rule sets. It may be challenging to rationalize the security policy expressed in rules across firewall devices from different vendors such as Check Point Systems Inc., Cisco Systems Inc. and Juniper Networks Inc.
- Improve network performance and effectiveness by coordinating firewalls, routers and switches. Every rule that needs to be checked in a firewall, router or switch adds latency. For instance, it is not uncommon for firewalls to contain rules that must be checked, even though an upstream router decision renders the firewall rules superfluous because the affected traffic can never reach the firewall. Organizations optimizing the performance of network devices need tools to compare the configurations of firewalls, routers and switches to identify rules that can be safely removed.
The firewall management vendors may tout that removing rules from firewalls provides a performance boost that also extends the life of the firewall device. However, most organizations prefer to buy a faster firewall device rather than run the risk of removing rules that turn out to be needed. The firewall management market may turn into technology that leverages network security audit services with product features shifting to operational workflow controls and diagnostic efficiencies. Enterprises with complex networks should use tools to check that firewall configuration rules are not creating security holes.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.