A number of classic scenes in film and literature involve a walled city or castle only to be stopped by a gatekeeper and asked, "Halt, who goes there?" The gatekeeper makes the call on whether or not the group can pass or not.
Firewalls are the digital correlate of this archetypal gatekeeper: But unlike the fictional or historical gatekeepers, the amount of rules employed by a firewall is mind-boggling. For example, the fellow guarding the Emerald City trying to keep out Dorothy only had to remember: Default Deny ANY for people with the name Dorothy.
In the real world, perimeter firewalls have extremely complex policies comprised of hundreds of different rules – or potentially even more. Having the wrong policy can be tantamount to having no firewall in place at all if risky services are allowed to pass or the wrong ports are left open.
As defined in NIST SP 800-41 Guidelines on Firewalls and Firewall Policies [1], the firewall policy "dictates how firewalls should handle network traffic for specific IP addresses and address ranges, protocols, applications, and content types . . . including which types of traffic can traverse a firewall under what circumstances." Companies that have taken the time to define their policy and rules usually put firewalls into production with a fairly robust policy set. The problem occurs over time as change requests are made and administrators are asked to incorporate more and more rules over time.Automation and Centralization
How can companies validate that their perimeter devices are making the gatekeeper calls from the same book? One way to get out ahead of the problem is to leverage firewall management solutions, an increasingly popular category of security solutions that enable organizations to manage firewall policies using a centralized management console. Rather than having atomic instances of policies across firewalls that are manually updated, keep all the policies in a central console.. Medium and large organizations may have multiple policies depending on location of the firewall and specific business purpose. But for each group or set of firewalls that are supposed to share a policy, the central console provides a top down view, which aids in auditing, reporting, troubleshooting and optimization.
Another benefit of keeping firewall policies in centralized repositories is the ability to automatically check these policies against regulatory requirements like SOX and PCI. If a change in a requirement occurs, automated policy tools can ease the update process by recommending rule changes in product specific syntax ensuring effective implementation of the rule regardless of vendor.
To ensure that everybody is successfully implementing the right security policies, organizations need to implement automated solutions that can evaluate risk and compliance at all times.
Can you imagine if our counterparts in literature were so busy looking up whether Dorothy or the Tin Man could enter Emerald City that they either had a long line of people waiting to enter, or because of information they didn’t have on hand at the time, either let an enemy in or kept important allies out? Security professionals need a new approach to firewall deployment that provides both security and business continuity.
Firewall management solutions provide the ability to create much tighter rule bases that are inherently more secure, compliant and optimized to the needs of the business. Early ROI studies indicate that automation can reduce the time and cost of firewall audits by as much as 75%, and depending on the state of an organizations firewall rule bases, cut the time and cost of firewall management as a whole, in half.
At the end of the day, taking advantage well-applied automation isn’t just smart security – it’s smart business!!
www.tufin.com [2]