||Add To My Personal Library
November 6, 2009
Vol.31 Issue 27|
Page(s) 1 in print issue
Firewall Auditing Tools
Automated Tools Help Keep Up The Primary Defense Against Network Security Threats
The convoluted maze known as spaghetti code isn’t an affliction restricted to application programmers; network security admins have their own strain known as the firewall rulebase. Although firewalls have been a standard feature of enterprise network security for years, ever-changing and morphing threats mean that one’s database of firewall filtering rules continues to get more complex, convoluted, and incomprehensible.
• Compliance requirements such as PCI DSS requiring regular review of firewall and router access policies are driving interest in firewall audit and automation software.
• The complexity of most rulebases, which often exceed 1,000 entries, make auditing and managing firewall configurations and security policy extremely challenging without automation.
• Audit and automation tools are designed to work with specific firewall and router products, so a critical evaluation criterion is whether a product supports an SME’s installed fleet of security devices.
In a recent study in the ISSA Journal titled “An Analysis of Firewall Rulebase (Mis)Management Practices” Notre Dame researchers Mike Chapple, John D’Arcy, and Aaron Striegel reported most companies paid scant attention to firewall management practices. They concluded “that firewall rulebase complexity greatly exceeds that discovered in prior research and that administrators feel this complexity is a major contributing factor to rulebase configuration errors.” Furthermore, the Notre Dame team says the evidence suggests admins routinely make configuration errors that expose their network to risk and that “in general, firewall administrators are not following recognized best practices for firewall administration on a regular basis.”
Bolstering these conclusions, Forrester Research Analyst John Kindervag, in a recent report on firewall auditing tools, found that “Feedback provided by the card brands and PCI auditing firms indicates that upwards of 80% of the firewalls examined in a breach investigation are misconfigured.” He concludes that today’s complex and heterogeneous network environment makes manually auditing firewalls nearly impossible. Enter automated firewall auditing and management tools.
Firewall automation software provides three main benefits, according to Ruvi Kitov, CEO of Tufin (www.tufin.com), a leading vendor in the market. Firewall automation software improves the quality and consistency of firewall management, particularly in a multidevice, multivendor environment; it ensures that all configuration changes are in line with corporate security policy; and it automates many manual, repetitive administrative tasks. As a result, Kitov says, “Instead of preparing for a PCI audit in two weeks, you can do it in two hours.” Kindervag sees audit requirements, notably PCI’s, for up-to-date rules as being the biggest driver behind audit and automation software adoption. “These tools have come to the forefront because of compliance,” he adds.
Echoing the Notre Dame researchers, Kitov says, “it’s almost impossible to look at a firewall ACL that’s a thousand lines long and understand what it’s doing.” Using an automation tool both reduces the time needed to analyze and implement rule changes and improves the strength of the resulting firewall policy, allowing administrators to make better security decisions. Improvements in operational and administrative efficiency can be upwards of 95%, according to Kitov, which translates to lower costs and faster incident response.
Despite the advantages, Notre Dame’s researchers found 89% of respondents don’t use audit tools to detect orphaned firewall rules, and a meager 2% use fully automated processes. Not surprisingly, those 2% are also the more experienced personnel and most vigilant about firewall management. “Those administrators who do use an automated process to detect orphaned firewall rules are more than twice as likely (91% vs. 45%) to perform annual ruleset reviews than their counterparts,” they write, adding they “are twice as likely to hold a professional security certification.”
Key Product Features & Evaluation Criteria
According to Kindervag, automation tools start by importing firewall configuration information and then compare them with a set of best practices. They also typically correlate the configuration with log data to determine if there are unused or orphaned rules that can be safely eliminated, rules in the wrong order (recall that firewall rules default to “deny everything” and pass traffic as they hit a match), or rules that create unnecessary security exposure. “Think of it as an AI agent for firewalls,” he adds. These capabilities—the ability to find unused rules, optimize the rulebase, and produce audit reports—are the three essential product features, according to Kindervag. Kitov would add a couple more, including the automation of administrative tasks and enforcement of administrative governance processes.
Given the relative immaturity of the product category, there is wide variation of added features across vendors, but Kindervag sees some sophisticated capabilities becoming more common. These include the ability to produce detailed compliance reports (such as for Sarbox and PCI), integrate with help desk ticketing systems, enforce a change management process, and conduct real-time rule monitoring or simulation of proposed new policies and support for routers, switches, and other network security devices. Because audit tools work in conjunction with existing firewalls and routers, perhaps the most important evaluation criteria is whether a given product supports a network’s installed base of security devices. Though pricing can vary widely, the software is typically licensed according to the number of devices under management.
Kitov says firewall audit and automation tools typically run on a dedicated server (usually a virtual machine) or appliance and use several protocols to interface with supported devices and pull configuration information; typically, a firewall’s proprietary API, or standard network protocols such as SNMP or SSH sessions. Most products support all the popular firewall and router vendors, so Kindervag says integrating these tools “is a fairly straightforward thing.”
Firewall auditing and management software is still a small market, which Kindervag estimates at about $30 million to $35 million this year; however, Kitov sees the products gaining mass appeal. Although primarily appealing to larger enterprises with complex, heterogeneous networks and devices, Kitov also sees growth with smaller companies with low risk tolerance.
Companies facing strict network security compliance requirements will want to investigate these tools for their audit capabilities if nothing else. Risk-averse firms and those with large networks, complex firewall policies, or an array of different security appliances will undoubtedly find the ability to centrally manage, optimize, and automate network security policies compelling.
by Kurt Marko
View the chart that accompanies this article.
(NOTE: These pages are PDF (Portable Document Format) files. You will need Adobe Acrobat to view these pages. Download Adobe Acrobat Reader)