I try to avoid writing blog posts that are strictly related to our products at SolarWinds, but as I was recently conceptualizing some content for our newest product, Firewall Security Manager, I learned something that's just too good not to share. FSM came to us when we acquired Athena Security a few months back. This product utilizes firewall configuration files to analyze and manage firewall rules and changes offline to eliminate any potential impact planning might have on the production network. For years, Athena Security advertised their ability to integrate with SolarWinds NCM, so they were a perfect candidate for joining our family. In this post, I'd like to illustrate just how these two products work so well together.
Integrating FSM and NCM for 360-degree Firewall Management
For those of you who don't know, SolarWinds NCM is a network configuration change management software that allows you to back up, analyze, and modify the configuration files on all of your network devices. Of course, this includes firewalls and firewall-capable routing devices, so it was natural for the team at Athena Security to leverage that functionality. With these two products, you can collect, analyze, and update your device configurations without ever having to go to the command line or manually access the device itself.
Collecting the Config Files
In FSM you have several options for collecting configurations files: you can connect directly to a Cisco or Juniper NetScreen device; you can connect to a Check Point management server; or you can import a single set of configuration files from your company's file system. You can also connect to your NCM server to import configs from several devices, regardless of vendor (assuming the devices are supported). This allows you to leverage what NCM has already done for you and streamline the initial import process in FSM.
Analyzing the Config Files
This step is where FSM really shines. After you have the config files in FSM, you can analyze your firewall rules in human-readable tables, compare different versions of configuration files, and even generate reports to tell you what rules aren't being used or open your network for security risks. Using the various tools and reports in FSM, you can easily identify what needs to be changed on what devices, and then test those changes in an offline change-modeling environment to ensure your changes won't have any adverse effects.
Updating the Device Configurations
After you have identified what needs changing, FSM generates change scripts with the proposed changes. These scripts are fully editable, so it's easy to change only what you want and customize where necessary. When you've finalized the scripts, you can manually push them out to your devices using your preferred method, or you could use NCM to do that for you. NCM allows you to execute scripts on the devices it manages, so that closes the loop we started in step 1 when we used NCM to import the device configs into FSM.
I look forward to learning more about how to use FSM and NCM together as I continue working on this product, and I'll share tips as I learn them. If you like reading articles like this on Geek Speak, please let me know in the comments.