AlgoSec Firewall Analyzer 4.0
REVIEWED BY BRAD CAUSEY
AlgoSec Price: Corporate license starts at $4,300, auditor license at $1,400
Managing firewalls across an enterprise becomes increasingly difficult as organizations grow. Between the increase in use of distributed applications and needs for Internet connectivity, firewall rules can become complex and confusing, ultimately leading to misconfigurations and security holes.
AlgoSec's Firewall Analyzer (AFA) simplifies all aspects of firewall management, allowing you to discover and correlate redundant and conflicting ACL entries in routers and firewalls across the enterprise. Change management and regular audits are simplified tenfold, without modifying or interrupting production devices.
Installation is simple. We downloaded an installation file from the customer login page along with instructions and prerequisite information.
AFA can be installed on Red Hat Enterprise Linux and OpenSUSE, but not Windows. Before installation, you must create a dedicated user account and install JRE. Apache is automatically configured with SSL.
The only real issue we have with AFA management is that its dual interfaces force admins to go back and forth between them, which can be cumbersome. The local Linux interface provides user management, configuration options and overall management of the software. The Web-based interface is used more for day-to-day operations and reporting.
AFA's main role is to audit and evaluate firewall policies and configurations in the form of offline or exported configuration files, providing a complete audit without impacting the firewalls. You can import these configuration files directly through firewalls, the management interface or manually, by copying the configuration file. AFA supports Check Point Software Technologies, Cisco Systems and Juniper's Netscreen firewalls, as well as Cisco routers.
The audit engine is remarkable, using mathematical algorithms that calculate every possible packet that could traverse the firewall. This technique covers all external IP addresses, internal IP addresses, ports and protocols. All possible combinations are tested in every direction and on any interface.
Audits produce reports that contain data such as how a given rule or set of rules creates a risk. These risks are then rated, and can be investigated by drilling down to gain an in-depth understanding and suggested remediation. In our testing, for example, AFA detected a combination of rules that allowed UDP port 137 (NetBIOS) between our DMZ and internal network, and a recent change in a TFTP rule that opened the DMZ to inbound and outbound connections.
Reporting is mature and flexible. The executive summary report provides a high-level view of the firewall(s) with findings listed by risk level. This is excellent for aggregating rules on multiple firewalls to determine collective risk. You can also see reports that detail each rule and why it creates a specific risk. The rules and layout are presented in the native firewall format, making interpretation easy.
The change history report simplifies change management, providing an ongoing view of all changes, mitigated risks and new risks. The compliance report gives a top-down view of firewalls analyzed as they apply to a given need.
AFA will greatly simplify firewall troubleshooting, management and compliance.
Testing methodology: Our lab included a single OpenSUSE 10.1 server with the AFA software installed. A number of sample configurations were used from various sources such as Cisco and Check Point firewalls. Configurations were analyzed individually and in groups to determine aggregate accuracy.