Generally speaking, firewall audit tools evaluate individual firewalls, even if they can do so for hundreds of them. Some are slowly moving toward a more networkwide risk-assessment approach and the ability to evaluate not only each device, but how devices relate to one another—their mutual dependencies across the network.
Also see Firewall audit tools: features and functions and Firewall audit dos and don'ts on CSOonline.com
SkyBox Security and RedSeal Systems, on the other hand, offer precisely this type of enterprise-grade network risk-assessment product. They map networks and analyze configuration flaws, unpatched vulnerabilities and access routes—even those that were created unintentionally—between network assets. Security managers can run sophisticated models to identify security exposures and evaluate risk based on the assigned value of the asset and what kind of vulnerabilities it has.
"Some servers are more important than others," says Ryan Trost, director of security and data privacy officer for Reston, Va.-based Comprehensive Health Services, a RedSeal customer. "Some can easily be rebuilt, but for others even a second of offline or down time starts to affect normal business processes."
Trost said that risk assessment, especially at audit time, was daunting in an environment of just under 200 servers, requiring weeks of reviewing firewall access control lists, switch configurations and 600 pages of vulnerability scan reports. "The risk-management software pulls in everything, analyzes it and does prioritization for me," says Trost. "It's become the cornerstone of our security posture."
Skybox and RedSeal both got a foot in the firewall audit market when PCI DSS opened the door. SkyBox includes a firewall audit product in its suite. RedSeal positions itself as a risk-management company, but its software can also be used for firewall audit.
While the firewall audit vendors "are trying to push upstream a little," says John Kindervag, senior analyst at Forrester Research, the market for what he calls "network threat mitigation technologies" is unclear, as enterprises need to be educated and vendors have to sell potential customers on their value at a price that makes sense.
"The products themselves are quite phenomenal in many respects," he says. "In a perfect world, everyone would have a tool like this."