For multivendor environments, says Pescatore, the best you'll probably find is a "security dashboard," which lets you see what is happening on the various firewalls. "But it's not a security steering wheel" that lets you make changes if you see a new threat coming, he says. PentaSafe Security Technologies Inc.'s VigilEnt Security Agent for VPN-1/FireWall-1 (which also requires the VigilEnt Security Manager) provides monitoring only for Checkpoint's VPN/firewall product. OpenService Inc.'s SystemWatch Security Agent filters and analyzes information from Checkpoint's Firewall-1/VPN-1 and Axent's Raptor, among other security tools, but offers only limited control capabilities. NetIQ Corp.'s Security Manager provides monitoring and log consolidation from various network devices, but focuses more on ensuring those devices comply with established security rules than allowing for fine-grained management of components such as firewalls. One option is outsourcing firewall management to a managed security service provider, which may have built proprietary tools to handle such disparate environments. Outsourcing can be a good option for customers who need 24/7 monitoring and are too small to afford their own full-time management staffs, observers say. Depending on the size of the network to be protected, such a service may cost only $50,000-75,000 per year, says Pescatore, far less than the cost of even a single full-time staffer with benefits. At least one vendor, though, is taking on the task of monitoring and controlling multivendor firewalls through a single console. Ponte Communications Inc. writes to the APIs (application programming interfaces) of different vendor's firewalls (as well as VPNs, routers and other network devices) to control them through a single console. Ponte nsControl platform consists of control server software running on a Sun Microsystems Inc. Solaris server that stores the information needed to manage network security and network control point software running on Intel-based hardware around the network to deliver necessary changes to local devices. For example, if a network manager wanted to shut down Telnet access to its servers through both CheckPoint and Cisco Systems Inc. firewalls, says Pescatore, he could do that with a single command through the Ponte platform without having to log into both firewalls. The downside to this approach, he says, is that management vendors need to update their products whenever any device vendor changes their APIs. He sees such control capabilities eventually being built into wider network or application management tools from larger vendors such as IBM, Hewlett-Packard Co. or BMC Software Inc., which can force the device vendors to write to their APIs, not the other way around. About the author
Robert L. Scheier writes frequently about security issues from Boylston, Mass. He can be reached at firstname.lastname@example.org.