How to manage your multivendor firewalls like a pro

Auditing firewalls to keep regulators happy and tracking rule changes - especially for businesses buying firewalls from multiple vendors - is a burden that a variety of third-party software can lighten dramatically.

Software from vendors AlgoSec, Secure Passage and Tufin, can report firewall statistics to prove compliance with industry and government standards, and it can consolidate rules so firewalls run more efficiently, customers say.

"That's very different from what individual firewall vendors do," says Greg Young, a research vice president at Gartner. "[Third parties] respond more to audit compliance and the real-world regulatory compliance that companies need."

Young says individual firewall vendors have tools to configure and logs to record rules changes, but don't have the capability to simulate inserting new rules in existing rule sets to see their impact. AlgoSec, Secure Passage and Tufin are the only vendors he knows of that offer this type of functionality, and they do so only for the major firewall vendors, Check Point, Cisco and Juniper.

Adam Forester, supervisor of network security for medical transaction processing firm Emdeon Business Services, says he turned to Tufin because Check Point tools couldn't do as good a job optimizing his 100-plus firewalls.

"I needed the real optimization, being able to go through the policy and say this rule is using services that another rule is also using and you can eliminate this rule. Check Point's products just do not do that," Forester says.

Tufin software runs through a firewall's rule set in less than five minutes, drastically cutting the time it would take to do the same optimization manually, he says. "We would spend a couple of months going through logs manually, printing out the entire rule base and just going through it by eye," he says. He says the software reduced the number of rules in one firewall from about 600 to 200, reducing the CPU power demanded to process traffic.

Trimming down the number of firewall rules means it is simpler to audit them, says Gartner's Young. That translates into lower prices for audits because they take less time, he says.

This type of software can help with regulatory audits, as well. For instance, when it came to meeting firewall security regulations, AXA Technology Services turned to AlgoSec's Firewall Analyzer. It can generate reports that help out demonstrating compliance with the Sarbanes-Oxley Act (SOX) and PCI industry standards, says Dan Raymonda, a technology specialist for the company. AXA Technology is the centralized IT provider for other AXA operating companies.

He says the AlgoSec gear generates reports that let him know whether his firewall rule-sets are within the range of compliance standards set for PCI.

AXA is more concerned about SOX compliance, and Raymonda uses the AlgoSec software to assess the risk of new firewall rules proposed by AXA operating companies.

Those risk-assessment reports are reviewed by the requesting operating company, which determines whether the risk is acceptable in light of SOX requirements, he says.

The software can gather data for risk assessment from multiple firewalls based on a single instruction. So if he needs to assess a new rule for external firewalls, he doesn't have to deal with each one individually. Instead the AlgoSec platform deals with them as one group and analyzes it, saving time and reducing errors.

"Everybody has made an error here or there in positioning a firewall rule," he says. "To have [Firewall Analyzer] do the calculations of literally millions and millions of potential access methods and evaluate it and come up with a risk assessment is just a godsend."

Raymonda says he has the AlgoSec software configured to poll firewalls regularly on its own to perform routine compliance checks.

Page Break

These third-party platforms can also help find all the rules that apply to individual devices, which comes in handy for Forester, who is moving Emdeon servers from Nashville to a new data center in Memphis. Tufin's SecureTrack software finds all the existing firewall rules pertaining to each server so the rules can be transferred to the Check Point firewalls located in Memphis, he says.

In general, Gartner says businesses should stick with a single firewall vendor, but it also realizes that is not always practical in large companies, Young says. Keeping firewalls optimized and compliant without these tools is a much greater task he says.

Alternatives that are used by businesses are generally manual, including making entries about changes in Excel spreadsheets that have to be analyzed by hand. He says these lists get out of date and then administrators have to look around for the information they need. "Some of it may be in the Check Point console and then Fred knows what's happening on the Cisco console," Young says. ""Nothing will ever replace a really knowledgeable firewall administrator, but it removes complexity."

For large companies, the software probably makes sense, he says. A business that might spend US$10 million to US$20 million on firewalls, for instance, would spend about US$50,000 on these tools, so it represents a proportionally small investment, Young says. The demand for these products is not enormous, and the total sales for this type of product is US$100 million or less, he says.

"It solves an irritation problem rather than being a show-stopper. It adds oil to the machinery," Young says.