Changing Firewalls Is Painful

A lack of industry standards and few migration tools means that moving from one brand of gateway firewall to another can be a daunting task that can take six months or more.

While shifting from one brand of any sort of network equipment to another can be trying, security experts say exchanging gateway firewalls is particularly challenging, the big problem being that vendors generally define access-control rules so differently that migrations need to be conducted largely on a manual basis.

So, many IT managers opt to stay with one brand of firewall simply because upgrading or going for rip-and-replace is too complicated.

Kevin Burnett, Gayndah Shire Council systems administrator, said the council would rather change to a completely new firewall vendor than risk the pitfalls of importing rule sets and access controls.

Grahame Rule, University of Queensland senior technical officer, said the reasons for changing vendors generally far outweigh the complications of changing rule sets and access-control importations.

Exporting such rule sets is not a core issue in the decision to change firewall vendors, he said.

Neal Wise, director of Assurance’s Assurance.com.au, said making such a change is akin to switching from one ISP to another, and if organizations do decide to change firewall vendors, very few have the skills in-house to help them get across.

“Usually firewall features change from version to version, and an upgrade is very rarely a painless thing, but most commercial vendors now give some indication of the break points or change the way they do clustering. It is a big project with a lot of planning and work involved, but it is an opportunity to get a handle on firewall management,” he said.

Bruce Munroe, security partner manager for Cisco Systems, said access control lists and firewall rule sets cannot be migrated easily. In fact, Munroe said the task involves “a fair bit of brain power” and is definitely an issue for IT managers.

“Rules sets are high investments, and it is enough of a challenge keeping up with vendors moving to new versions of product. Moving away from one vendor’s set of products [to another’s] is not something we see very often,” Munroe said.

“The reality is that rule sets cannot be swapped, and you would need a very experienced consultant to massage them. That aside, some major firewall manufacturers have conversion tools that do 80 to 90 percent of the necessary conversion between brand A and brand B, but you still need a clever person with their brain turned on to do the rest.”

Steve Macdonald, Check Point Software Technologies security solutions architect, said there are no real standards around importing access control lists or rule sets and the task can take up to 50 percent of the workload.

“What I find as a security professional is people don’t change firewalls regularly, because once they achieve success [ with a brand], it is very rarely they walk away from it because of that management,” MacDonald said.

“In some cases the ability to import configurations is partially automated, but you still need to do serious analysis. Not only is there a requirement to transpose rule sets, but if human error is introduced, it becomes dangerous to manage, and difficult.

“Imagine the process of reviewing 500 rules and making sure they match. Automation is highly desirable.”

For related content, read The Perimeter Problem.

Keep checking in at our Security Feed page, or subscribe via RSS, for updated news coverage.

— Michael Crawford and Darren Pauli, Computerworld Today (Australia)