I finally dragged myself back to the gym yesterday afternoon. Having lapsed during the holiday break and procrastinated for weeks, things were beginning to look kind of uglier in the mirror.
It was painful but I have to say that I am feeling a lot better this morning – even the profile seems to have improved overnight!
If only I had one of these magic machines that I see on TV every night promising six-packs without any pain. They had one in the gym just like on TV but I don’t think it was working properly.
I’m pretty much the same with everything; it’s the getting started part that kills me but once I’m in the groove then I’m OK. And this is very often the case with firewalls. Talk with any firewall administrator and suggest that they clean up their rule base and you will get the familiar groan of someone who knows they need to do it but just don’t know where to start.
The problem for many administrators is that their firewall environment is like my garage. I know it’s in there somewhere but I have no idea where and it’s a dirty job to go looking for it.
The situation is that in many organisations you are dealing with hundreds of firewalls and security devices with complex rule bases and firewall management systems are not intended to help you with optimisation. After all the more rules you have the sooner you’ll need to upgrade your box. In other words it is not commercially interesting to help you clean up the mess!
Add to this the multiple data centers and time zones, many administrators with varying levels of skill and experience, and possibly dozens of configuration changes each day.
As new requests arrive there is frequently a manual approval process. Literally sitting down with a document and examining the request to see if it complies with organisational security policy.
And if this wasn’t bad enough, once you’ve figured out that the request is OK you have to figure out where to put it. You end up in “What If” world – What if the rule already exists; what if an object is already in a rule allowing this service or disallowing it; what if this rule overlaps with an existing rule; what if I place this in the wrong place and I break something else, etc.
In fact I’ve just realised that tax inspectors would probably make the ultimate firewall administrators because they don’t miss anything!
But the bottom line is that sooner or later you have to bite the bullet and get “on your bike” and lose that excess weight because the potential risks to your organisation both in terms of increased risk exposure due to bad configurations and rules that are active but no longer used is significant. Added to this that the potential business impact is also significant because of the increased risk of downtime and poor performance.
Just imagine what the costs are to a bank for an incorrectly placed rule that brings their Internet banking to a halt or a service provider who interrupts a customer’s business because a business critical rule has been negated by a badly placed change!
Which is why you need to be looking at a Firewall Policy Management solution. Firewall Policy Management solutions make it possible to automatically analyze traffic, identify rules that are potentially problematic, such as those that are redundant, rules that are least used, and most used.
This information can be used to eliminate unused rules, and prioritise those used most often, hence speeding up firewall performance. Imagine – instant fitness!
Once you’ve trimmed the fat then you need to be able to maintain the condition and good FPM solutions provide simulation and risk analysis functions to ensure that you can easily identify potential security risks, and ensure compliance with organisational security standards, and prevent service outages before they are implemented.
This also means that it is easier for you to ensure compliance with various standards such as PCI-DSS, ITIL and also demonstrate to your auditors and security staff that everything is in good shape. Actually a fitness regime that gives instant result with relatively no pain! It’s almost like getting fit watching TV
Calum M. MacLeod, Tufin Technologies