Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Calum Macleod, Tufin Technologies: My Wife is Not For Sale

April 2009 by Calum Macleod, Regional Manager Tufin Technologies

Monday mornings are bad enough but when another letter arrives from the local law enforcement asking me for another contribution to help them improve the accuracy of their speed traps it doesn’t make for a good start to the week. Fortunately I live in a pragmatic country where minor indiscretions are solved with a reasonable contribution and not with the full force of the legal system coming down on your head. But in any case in these times of recession, every little bit hurts!

Now I’m sure that many will say that the solution is simple – stick to the limit. And that would be easy if meetings ended on time and you didn’t have to complete a 2 hour drive in 30 minutes and at the same time discuss business with colleagues, sympathize with your children asking for “Dr. Phil level” advice on their personal relationships. It’s not that I don’t get alerts. After all radio stations display information about where exactly the cameras are hidden so at least you can plan to be law abiding at those spots but it’s the nasty ones that sneak up behind you that are the worst. But what’s this got to do with IT security.

It’s just like your firewall infrastructure. You arrive at work for another normal day only to discover that more vulnerabilities have been reported over night, several departments are asking for access to new services and it is the firewall administration teams responsibility to sort this out. In fact the more I talk to firewall administrators, the more I came to realize they are all masochists. Only a masochist would work in a firewall team that has no effective security lifecycle management tool. I mean how many people you know are happy to spend their days looking for a needle in a haystack !

- What Are The Challenges?

Is Your Firewall Policy Enforced?

Firstly every change that is made to a firewall has to be in line with the firewall policy. A firewall policy defines how the firewall should deal with traffic such as web, or email or any other application that needs to be accessed. Additionally the policy usually controls how the firewall is managed and updated. For example you may have a policy that states that the firewall has to be managed from a particular location. Firewall management is an area that can create problems especially for users who have outsourced the management. For example how does a Security Officer or an Auditor at an organization validate that the Service Provider is adhering to the agreed policy. In many cases the customer has simply no idea.

Is Your Information Security Policy Enforced?

A firewall policy is based on an organization’s Information Security Policy. The firewall policy is the practical implementation of the security policy. The Information Security policy defines everything from acceptable use to what actions should be taken in the event of a security problem; for example a new vulnerability is identified that must be dealt with. The security policy will usually define the steps that are required in order to make changes to a firewall.
So what’s your worst nightmare? You could say not having policies, but that’s pretty much an unlikely event these days. The nightmare for Auditors and Security officers is having no effective method of knowing if your firewall administrators, whether in-house or out-sourced, are actually enforcing the policy.
The problem that you are faced with is that without effective Security Lifecycle Management and Firewall Policy Management technology it is virtually impossible today to know what is going on. Very complex and large rule sets across many firewalls in a multi-vendor environment is the source of sleepless nights. I talk to many organizations and the whole process is a paper based exercise. Every change to the firewall has to be examined firstly against the Information Security Policy – Is this allowed or not; is this person allowed to do this, etc. Then it’s examined against the firewall policy – Does my firewall policy allow this; what has to be changed and where; does this already exist; what impact will this have on other services. And we haven’t even thought about Business Continuity or compliance issues!
So now that you’re exhausted from just trying to keep up with the stresses of daily life along comes regular maintenance. As rules and services are added every day your firewalls become fat and lazy. Probably in most firewalls you can probably expect that the “body mass index” is out of control. In most firewalls we’re not talking obese we’re talking absolutely huge. Without losing excess rules the firewall becomes slow, affecting performance, and impacting the business. And the result - buy a bigger firewall, i.e. waste money! This is kind of like going out to buy a new suit because the old open one doesn’t fit anymore whereas if we just lost a few kilos everything would be fine. But in the firewall world losing rules is not that simple. Rules are being shadowed, rules are obsolete, services and objects in rules are shadowed an obsolete. In other words most firewalls are a mess and without Firewall Policy Management tools it is an impossible task to. And not only are you likely to waste money getting bigger and better but you are also running major risks with the health of the firewall. As firewall rule bases grow so do the number of unused and obsolete rules and objects, which in turn leads to potential security vulnerabilities. The only way to fix this is without the right tools are to do it manually. Just not realistic!

The beauty of having the “technology” to spot and address the problems is that you will save money. Thanks to my eagle eyed wife it turns out that my son was driving when the picture was taken. I’m sure she would be amazing as a “Firewall Policy Management tool” but she ain’t for sale so I suggest you buy your own!

See previous articles


See next articles