Firewall management tools ease configuration woes

As properly configured access control systems, firewalls are an invaluable layer in a comprehensive security design. The catch, of course, is the phrase "properly configured." Most firewall configurations begin simple and secure, but grow more complex and ineffectual over time. In this article, I discuss reasons for these problems, and how to choose a firewall management solution to keep clients' firewalls effective and manageable.

There are three primary culprits that contribute to firewall configuration complexity:

The 'fix-it-now' mentality

As help desk calls concerning unknown applications and protocols begin piling up, it is easier for overtaxed firewall administrators to resolve problems with "shot-gun" approaches such as adding rules allowing "Any" sources or protocols.

Multi-vendor systems

Managing firewalls from different vendors can seriously amplify an administrator's workload. Often concepts do not translate from vendor to vendor, and those concepts that do are implemented in ways so differing, you begin to wonder if it was done on purpose.

Tactical vs. strategic effects

Short-term fixes lead to lengthy rule base configurations and duplicate or orphaned rules, and over permissive policies. Without effective management tools firewalls lose their strategic place within the security infrastructure.

How can you help your clients tackle these problems? Typically, firewall management approaches fall into one of three categories:

Homegrown / open source

The do-it-yourself approach to firewall management can be both inexpensive and effective if you have the expertise and are not afraid of a little work. However, lack of a comprehensive open source project to manage both configuration and reporting, and limited vendor integrations are significant drawbacks.

Firewall vendor

Most of the larger firewall vendors (Check Point, Cisco, Juniper, etc.) have centralized firewall management systems offering configuration, logging and historical reporting. The strengths and features of the systems vary widely with each vendor, but the common weakness is that each system only supports that vendor's firewall.

Third party

A few companies have introduced products aimed at cross platform firewall management and monitoring. For example, the SecureTrack product from Tufin Technologies allows auditing rule base changes on multiple firewalls. Third-party products can offer more management features and broader support than management tools from firewall vendors.

The best choice for your client will be dictated by the number and type of firewalls deployed, as well as the feature set you need in order to effectively manage the firewalls. Here are some things to consider when choosing an effective solution – be it open source or a third-party product:

Multi-vendor support

Obviously, the solution needs to support your client's current firewall vendors, but you should look for or build a solution that supports many firewall vendors in the same range as the client's current deployment. You never know when your client's environment will change. A management tool that supports changing infrastructures is invaluable.

Best practices analysis

Firewall vendors implement technology in different ways, but best practices, such as denying all traffic not explicitly allowed and logging suspicious activity, are universally accepted, and should be implemented and monitored across all firewalls in any firewall management solution.

Flexible reporting

Pre-built or "canned" reporting quickly produces reports with general information, but also look for the ability to define reports on all information collected. This level of granularity is imperative for reporting on unusual patterns or specific incident scenarios.

Firewalls require careful configuration and monitoring to remain effective. The tools and approaches mentioned here can greatly enhance the management and security of your client's first line of network defense.