• United States



by Neil Roiter

Firewall audit tools: features and functions

May 10, 20105 mins
Data and Information SecurityFirewallsNetwork Security

Why would anyone need firewall audit software? If you're already jugging hundreds of rules on multiple firewalls, here's what these tools can do for you.

Firewall audit tools automate the otherwise all-but-impossible task of analyzing complex and bloated rule sets to verify and demonstrate enterprise access controls and configuration change-management processes.

Although the market has been driven by compliance—it was essentially created by PCI DSS—these tools can also allow organizations to improve network performance, reduce downtime, improve security and reassign staff from shooting down firewall issues and analyzing configurations to taking on tasks that help grow the business.

The problems are familiar to organizations of all sizes—from those with just one or two overtaxed and inefficient firewalls, to large, distributed enterprises with scores or hundreds of firewalls administered by many business units, often all following different policies that may have been written before the units’ acquisitions.

Also see Firewall audit dos and don’ts for practical implementation advice

Not long ago, 200-300 rules was considered excessive. Now, it’s not unusual for firewalls to have many hundreds or even thousands of rules, many of which were rendered obsolete when IT operations added new rules to meet business requests but neglected to remove any old ones. Analyzing configurations for a few firewalls, let alone hundreds, has grown beyond the capacity of human computation.

Firewall Audit Tools: Key Benefits and Use Cases

Business efficiency and security may be the goals, but regulatory requirements frequently open up the budget. The firewall audit market, pegged by Forrester Research at $25 million to $30 million in 2009, is fueled by PCI DSS requirements to review firewall and router configurations every six months. These controls also typically come under scrutiny during internal, partner and other regulatory audits.

Enterprises exhaust countless man-hours analyzing firewall and router configurations to produce audit reports, only to realize that they do not have a firm grasp on their network access controls and the change-management processes that enable them.

“How do you demonstrate that a 2,000-rule set is robust and secure?” says a security officer for a telecommunications company, which uses SkyBox Security’s SkyBox Assure solution. “It’s impossible to do manually.”

These automated tools run complex algorithms that evaluate the actual rules against corporate policies and best practices to identify gaps, verify changes and produce audit reports. They enable organizations to verify and document the entire configuration-management lifecycle to demonstrate to auditors that practice follows policy, and that changes were completed as authorized and grant the intended access.

“There’s nothing more embarrassing or devastating to an organization than when you tell an auditor, ‘This is how we do it,’ and when they look, there is no semblance of what you said,” says Jeff Sherwood, principal security strategist for H&R Block, a Secure Passage customer. “Now we can come out of the gate and say, ‘This is what we do and here is proof we do it.'”

While compliance automation may be sufficient justification for their implementation, firewall audit tools also offer tangible business benefits that go beyond surviving the audit ordeal.

Performance and Optimization: This is a prime function of all these tools. Firewall performance degrades because excessive rules eat up CPU cycles, and critical access rules are situated too far down in the hierarchy because when additions were made, the focus was on speed of implementation, rather than on optimizing the configuration. Firewall audit tools clean up redundant rules and requests for service that have already been enabled, and flag rules that apply to objects that are no longer in use or even in existence.

Also see SIEM Dos and Don’ts

Optimizing firewalls and network devices can improve performance problems that companies might otherwise have had to throw new hardware at. Benefits will be even more noticeable as traffic increases.

Business Continuity: Performance and optimization issues can seriously slow or even bring down critical business processes. This costs the business not only revenue, but also the man-hours it must spend to deal with the problems.

“Before, our team was heavily weighted—30 percent of their time—to firefighting, toward fault analysis and fault fixing,” says Colin Miles, corporate network manager for U.K.-based Virgin Media, a Tufin Technologies user with a network infrastructure that includes more than 100 firewall pairs. “Since Tufin was implemented, that’s turned to proactive capability, rule-based efficiency and optimization of the network, driving toward people savings.”

Security: Complex configurations make security analysis very difficult. Obsolete or misconfigured rules can be exploited to give attackers access to sensitive data. Firewall administrators under pressure to fulfill business requests are likely to err on the side of granting too much access rather than too little. Firewall audit tools improve security by determining optimal rules and detecting unused and misconfigured rules.

Firewall Upgrade and Migration: Upgrading firewalls and consolidating onto fewer platforms create excellent opportunities for organizations to use an audit tool. It’s a good time to cost-justify configuration cleanup and firewall optimization, rather than carrying over the old infrastructure’s issues. Since these products support multiple firewall platforms, they are well-suited for consolidation, streamlining the configurations on each and translating them onto the new platform. Virgin Media, for example, consolidated from numerous legacy platforms brought over through corporate acquisition to Check Point firewalls for its dynamic environments and Cisco for more static conditions.

Change Management: Change-management policies and processes can fall short when requests are made out-of-band, which happens when either someone fails to follow procedure or there’s an urgent need to enable or restore service for critical business processes. Several vendors have complementary workflow products that automatically document all configuration changes and reconcile them with ticketing systems.