Review: FireMon clears the clutter for network security policy management

A pioneer in the field of network security policy management, FireMon provides full visibility into networks and devices, and overlays that knowledge with the rules, platforms, hardware and programs designed to protect it.

FireMon network security policy management
FireMon / D3Damon / Getty Images

It’s kind of a paradox that as an organization’s network grows, they have to add more and more security appliances and programs to keep it safe, yet with increased complexity comes diminishing returns on those investments. What happens is that new security platforms implement new rules, which often conflict with or duplicate existing protections. And don’t forget that the network itself is constantly changing, especially these days with cloud deployments, which further muddies the waters. At some point, it becomes almost impossible to manage everything, fix vulnerabilities and maintain good security without a lot of help.

For the past 15 years, FireMon has been pioneering the field of network security policy management, providing a dedicated way for organizations to get full visibility into their networks and devices, and overlaying that knowledge with the rules, platforms, hardware and programs designed to protect it. Of course this unified look at network protection configuration settings has changed over the years, especially recently as hybrid infrastructures have become increasingly popular, but the core FireMon platform is still the same, just expanded to meet every new network advancement. More so than any other platform we have recently reviewed, it’s clear that FireMon has a mature offering and any of the early bugs or quirks have long since been worked out.

Because FireMon brings together all the complicated and sometimes conflicting policies from other security platforms, it works with almost any existing cybersecurity product. That includes everything from firewalls to vulnerability scanners, and everything in between. It also works within hybrid infrastructures, including all cloud deployments or networks that have embraced micro-segmentation.

Testing FireMon

To collect all of the information that it needs, the FireMon platform is installed in three parts. The heart of the system is the application server, which provides the frontend interface. It is normally deployed as an appliance and can be up and running in most organizations in a matter of minutes. In enterprise installations where more than one application server is required, all the secondary servers can be virtualized and still report to the main console. There is also a database that collects all of the historic change data from devices on the network, though this component is more or less invisible to users. The amount of data that can be stored only depends on the amount of space assigned to it. FireMon officials say they have some customers with over ten years of data analytics, which is a powerful tool for looking at local cybersecurity trends.

The final pieces of the platform are the data collectors, which are normally virtualized but can also be physical. Each collector is tasked with gathering the log data from multiple devices, like firewalls, and looking for any changes that are made in the rulesets or configurations. Large enterprises can have multiple collectors but are not financially penalized for that. Pricing for the FireMon platform is based on the number of devices being protected. There are also fees to activate extra modules that add functionality to the main program.

While one of the biggest strengths of the FireMon platform is its ability to track changes to security architecture over time and explain what those changes mean for the overall security posture, the program is also useful on day one. Once installed, it immediately provides a security device inventory count and shows every conflicting rule or bad configuration that may allow an attacker to penetrate a network. IT teams can immediately begin decluttering their complex security rulesets and fixing misconfigurations. FireMon does a good job of explaining how to fix most of the problems that it discovers.

firemon dash John Breeden II

The main dashboard for FireMon clearly shows how security appliances, programs and platforms rules conflict with one another, and how to begin the process of ironing out all that network cybersecurity complexity.

Once a baseline is established and the major initial problems have been rectified, FireMon continues to monitor everything and provides a list of devices that have had their configurations changed over time. It also shows how these changes have affected network security, either for better or worse, and what, if any, conflicts or vulnerabilities those changes have inadvertently created.

Because the FireMon platform includes a database, those changes can be tracked all the way back to the point when FireMon is first installed, even if that goes back months or years. The change logs are extremely detailed, showing what the rule was before and how it worked and then comparing that to how it operates now. It also shows any conflicts with other rules, even rules from different systems. This would make security auditing very easy, especially since the user or program that instituted the change is also revealed. Any rogue admin or malicious program could quickly be unmasked based on the changes they are making, though it would also expose any unintentional consequences that happen because of a well-intentioned change.

firemon changes by user report John Breeden II

Not only does the FireMon program track changes in network security, but also which users are responsible for those changes. This can reveal analysts lacking sufficient skill, or even malicious insiders.

Changes are displayed using a graphical interface, and clicking on any element drills down into increasing levels of detail about a reported problem. It’s very easy to use, but FireMon also provides the ability to program queries and import them into an API. It uses the open source Swagger program to help construct the APIs, which is included inside FireMon. By providing both a simple, graphical interface and a much more detailed but complex way of crafting queries using APIs, the interface can appeal to everyone in an IT department from junior analysts to the tier three experts.

firemon swagger api John Breeden II

In addition to a nice graphical interface, FireMon enables users to create their own queries and launch them using APIs. It can thus serve both junior and highly advanced users from the same interface.

Specific users can be assigned to fix different problems too, so that no dangerous configurations stay in place because nobody thought it was their job to fix them. This could help large IT departments avoid letting something important fall through the cracks.

FireMon can also take compliance into account for industries that are tightly regulated, or for organizations that want to follow good best practices in cybersecurity. First, users must define which of those rulesets apply to their business. There are over 400 that come with the system, including some of the biggest ones like PCI, HIPAA and NIST Best Practices. Or, users can create their own compliance ruleset for their specific business or unique needs. Even the included compliance rules are heavily editable, so if an organization wants to prioritize one part of a compliance system or modify parts of it, that is easy to do.

Some of the additional modules include a Risk Analyzer and the innovative Global Policy Controller. Both are fully functional with the base program and just need to have their licenses activated for an extra fee to begin working. The Risk Analyzer can import data from risk scanners, analyze that data, and then overlay it against the existing ruleset for cybersecurity protections in the network. This basically shows the level of risk that each rule or configuration creates or allows. Organizations can use this to find rules that may not provide a direct conflict or problem, but which might be risky to have nonetheless.

firemon attack simulation John Breeden II

The optional Global Policy Controller module in the FireMon platform works like an attack simulator, showing how rule conflicts or shortcomings put a network in danger, and by how much.

The Global Policy Controller is basically an attack simulator. It looks at the existing rules and protections and shows graphically how an attacker could exploit them, and how far they could get into a network using the holes provided by the risky or misconfigured rules.

Running a network of any sufficient size is difficult these days. Keeping it completely safe is even harder, especially as the complexity of the protection devices almost begins to outweigh the systems they are trying to defend. FireMon has a long history of helping to maximize that protection so that it can function flawlessly without conflicts. That experience shows in the usefulness and maturity of the FireMon Platform’s interface. Any network that begins to grow into what could be considered a large enterprise should probably have something like FireMon in place. It works with almost every kind of protection, maximizing the value that those other defenses provide.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!