Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Firewall reconfiguring and sending your son down the aisle!

Tufin Technologies : 15 September, 2009  (Technical Article)
Calum Macleod of Tufin Technologies draws the interesting analogy of firewall reconfiguration and organising your son's wedding
So the day is finally arriving. Our "baby" is getting married, the culmination of two years where we've saw him go through a different girl every week - or rather they went through him! - some which met with his mother's approval and most who did not until finally he came home with the one who most definitely did not! Only to discover that after two years he's marrying a blond version of his mother so she now has total approval!

And the last few weeks have been the usual nightmare of organization. Family arriving from all ends of the earth, all looking for low cost (read "can we sleep on your floor - there's only 25 of us") accommodation. Trying to organize services, receptions, invitations etc., and through it all the groom is blissfully ignorant. In fact he just announced three days before the wedding that there's a football game the night before the wedding which he's planning to go to. Knowing his mother and his future wife, I think I've convinced him that this may not be the smartest move, for his own health!

But like most "users", he is blissfully ignorant of what the simple statement "I'm getting married means". A bit like the user who tells the IT department, "I just need access to a certain application."

The simple request from a user can frequently create a nightmare for most security departments, especially when it means changing firewall configurations!

I mean where do you start? Before you even consider what needs changing you need to go through a process to confirm that a user is authorized to access the system; that somebody has approved the request; that the request complies with organizational policy; that the requested service is not already available. Almost daily I receive requests asking for connection to systems that already exist.

And it goes on. What impact will the change have on other services; how long should the service be available; where should access be allowed from. And once we've gone through all these considerations, somebody has to sit down and actually figure out the fine print. Like the wedding, some bright spark decided an order of service was necessary and who better to do this than the "computer expert". So with poems and songs and liturgy coming from all sources, and in all formats, it's been yours truly's job to figure it out. And did I get it right first time. Oh no - it takes days to get it just right!

And this is frequently the nightmare for many firewall administrators. Converting a request into an actual change is not only time consuming, it is very often something that has to be redone because it has to be changed. Recently an acquaintance who is a firewall admin was having a crisis attack after he changed something on the firewalls at the weekend which caused a system to crash. He couldn't make our lunch appointment because he wasn't in the good books with his boss apparently, so was focusing on solving the problem - i.e. keeping his job! You might think that he could just reverse the process and that would be it, but it's never that simple. Tracking changes is one of the biggest challenges for firewall admins!

The lack of automation and operational efficiency tools results in administrators spending most of their time on repetitive, manual tasks in an attempt to enforce corporate policies over many distributed infrastructure components. Security managers need to provide their staff with the necessary tools they need to automate repetitive components of the security lifecycle in order to reduce the time spent on time-consuming tasks and to invest resources more effectively. With automation, many manual analysis and auditing operations can be reduced from days to a matter of hours.

Recently Swisscom IT Service implemented an automated policy management solution with the result according to Swisscom that they now have "an unprecedented amount of visibility and control over firewall operations." The automation provided them with an overall snapshot of the state of their firewalls that enables them to operate in a much more agile, proactive, and strategic manner. According to Swisscom "We accomplish more in less time, with full confidence that we are operating in a secure, compliant fashion.'

Companies need to understand the business impact of network security and to demand a high level of transparency and accountability. At the same time, they are facing the need to comply with a variety of government, industry and regulatory security standards. As a result, companies are developing ever-more detailed and complicated security policies. Implementing them on the ground, over thousands of infrastructural components, is a time-consuming and error-prone process, especially when they continue to rely on outdated manual processes and not use the automation tools that exist.

To ensure that corporate security policies are implemented accurately and consistently, companies need to employ process automation to manage changes to security infrastructure. More than any manual process, change automation can ensure separation of duties and accountability.

Every change to security infrastructure involves risk. As enterprise networks grow and become more complex, organizations struggle to ensure that routine security administration does not accidentally result in downtime or even business-level disruptions.

Organizations need automated risk analysis procedures that can proactively examine every change request in the context of both organizational security policy and current implementation realities. There's no point having policies that are not being enforced on the ground. My car has a handbook that advices me to get it served every so often but if I don't then the consequences are clear!

According to Greg Young from Gartner 'Compliance and complexity are driving the requirement for better capability in optimizing the existing firewall rules base, and examining the impact of any proposed rule changes.' And experts will tell you that poorly configured firewalls remain a significant risk for many organizations. It's not the technology that's at fault, but rather the configuration and change control processes that are neglected or missing altogether. Best practice suggests you should test and review your firewall configuration regularly, but many organizations fail to do this.

So in a few days from now our baby will dress up and do his bit. Everything will be automated down to the last toast. Now where's the speech I used last time!
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo