Adding app awareness to the mix makes the task that much more complex and arduous, industry experts agree. "You want the ability to make granular access decisions on an app-by-app basis," says Oltsik. Furthermore, policies have to be regularly updated in order to keep up with major new social media services and apps, which show up on a daily basis. If your firewall sees these new entries as generic traffic, it cannot control them, Oltsik points out.
Companies are increasingly turning to third-party policy administration tools from vendors such as FireMon, RedSeal and Skybox Security. RedSeal's risk-assessment and policy-administration software scans for vulnerabilities and monitors the rules and configurations across Polk's collection of firewalls, network switches and routers, says Steiger. "It also helps us implement policies consistently across the network perimeter, according to best security and business practices."
[Learn more about firewall audit tools - features and functions]
"FireMon lets us track changes on various vendors' devices and monitor compliance from a unified system," says McCullough. This is especially key given that the security team at Accor's parent company has occasionally made changes to the division's perimeter security policies without notifying McCullough's staff first. On one occasion, this resulted in several hours of network downtime, he reports. "Now when a change happens, FireMon immediately alerts us and allows us to trace it back to the source."
FireMon also helped Accor tackle the huge task of rewriting its entire security rule base. "We found rules that were eight or 10 years old, whose owners weren't around anymore," McCullough says. Other rules were invoked only once every couple of months, but those times were important, he says.