Firewall Ruleset Management Still an Issue?
What is a firewall? Some would say it’s an access control device designed to keep unwarranted and unauthorized traffic from connecting with private networks. Others, including myself, say they are an antiquated piece of infrastructure that does little more than squelch the background noise of the Internet. If you subscribe to that notion, the next question becomes whether we need new tools to audit and management firewall rulesets. Three security vendors - Secure Passage, Tufin Technologies, and Algosec - believe so. Rulesets, the instructions given to firewalls for inspecting and acting on traffic protocols, were once a daunting challenge. Rulesets spread across disparate devices and locations made management a logistical nightmare. Security admins would often find themselves on the receiving end of an angry executive who lost access to an application or resource after a new ruleset blocked access or conflicted with an existing rule. Rulesets were once so complicated that it would consume inordinate amount of human and technology resources. The folks at Secure Passage (a spinoff of security integrator FishNet Security), Tufin and Algosec each offer applications that provide ruleset auditing that provide users with the ability to comb through hundreds - in some cases thousands - of firewall rules to discover conflicts, obsolete and redundant policies. Each vendor says their tool will not only make firewall rules more efficient, but lower hardware purchasing costs by reducing the number of required devices. But on the list of top security administrative challenges, rarely does ruleset management rise to the top. Security solution and managed service providers say they really don’t see the need for such auditing and testing tools, particularly in the SMB market. Many solution providers see the firewalls as pieces of Swiss cheese, especially with the number of IPsec VPN tunnels for partners and customers boring through corporate firewalls. A couple of solution providers went as far to say that organizations that have trouble managing rulesets without such tools lack basic security competence. Businesses large and small have experienced the phenomenon of the dissolving perimeter. In an era of cloud computing, interconnected business-to-business partnerships, mobile work forces and online customer relationships, some people are counting the days until the firewall is rendered completely obsolete. The question that tools produced by Secure Passage, Tufin and Algosec is whether we still haven’t mastered the tried-and-true firewall or the last vestige of declining security tool? |
Comments (1)
Hi Larry,
As CTO and co-founder of the market leading firewall management vendor, I am literally betting my business on the fact that firewalls won’t become obsolete anytime soon. With more than 375 paying customers and a healthy pipeline, there are plenty of indicators to support that reality.
The Perimeter has been at the center of an on-going debate in the info-sec world for several years now. The Jericho Forum has perhaps been the most vocal that the perimeter is dying, yet as far as we have seen -- despite a focus on data and application focused strategies (which btw, we totally support) - companies are not ready to rip out their firewalls.
While it is true the traditional notions of the “moat and castle” perimeter is changing, networks still need to have boundaries — you don’t not build walls to your house just because the furniture is bolted down on the floor, and even though people can get into your home through the window, you still lock the door. Right?
In reality what's happening is that, rather than disappearing, firewalls are becoming more important. Technologies such as IPS and end point security are being deployed to complement firewalls. Actually, firewalls are integrating with such systems to provide centralized security enforcement. Given the fact that firewalls are still here and that they are getting more complex we need better tools to manage them. In order to efficiently manage security across a large network, you want to automate as much as possible. It's like air traffic - way too complicated to manage manually.
In your post you mention “Businesses large and small have experienced the phenomenon of the dissolving perimeter. In an era of cloud computing, interconnected business-to-business partnerships, mobile work forces and online customer relationships, some people are counting the days until the firewall is rendered completely obsolete.
All those clouds that people are moving to — how do you keep a private cloud private? Firewalls are more and more being used to segment internal networks and emerging “external” networks, which would include cloud networks. MSSP’s are some of our largest customers — they’ll be the first to tell you they’re not getting rid of their firewalls anytime soon.
True, firewalls are no longer the sole or even most important security means but they are still essential and are being used in ways that reflect that the perimeter might be coming more porous and flexible, but it is still there, and firewalls can be used in a way to create that flexibility.
It's not a question of our intelligence. Even the smartest security engineer is bound to bring a network down when he needs to perform 30 changes per day in an environment of 100 firewalls with hundreds of rules each. Instead, a smart engineer will try to delegate work that can be performed better by an automatic system and focus on the stuff that really requires his abilities.
Tufin is giving security engineers the tools to:
--Automate repetitive tasks such as changing the policies
--Quickly analyze connectivity problems
--Define and enforce processes and polices to reduce errors and maintain an audit trail
--Perform cleanup and maintenance on a regular basis to keep your policies in good shape
--Ease the multi-vendor firewall management pains through a centralized console
Our solutions have proved to cut down firewall management time by up to 50%. Administrators' time is freed up allowing them to focus on security architecture and strategy rather than coping with the never-ending, mundane operations.
In fact, it's the ability of firewall management tools to deliver very clear cut, quantifiable time and cost savings that has made it such a hot market with the channel, which is where we derive 90% of our revenues from. I encourage you to speak with network security related VARS on the viability of the firewall management market, and if they are skeptical, send them our way — we just expanded our channel program and would be happy to talk to them about how we can both make money while delivering high levels of customer satisfaction.
Best,
Reuven Harrison, CTO, Tufin Technologies
Posted by Reuven Harrison | September 14, 2009 10:08 AM