Cisco® firewalls are prevalent in today’s enterprise networks. There’s a good chance you have one, or likely, multiple Cisco security devices on your network. But, do you have enough resources to ensure these devices are being managed effectively? How do you know there are no undetected loopholes or that your firewalls are not putting your network at risk?
Managing large numbers of devices, multi-vendor device complexities, growing firewall rulebases, change management issues, as well as internal and external compliance requirements, all add to the challenges faced by today’s security admins.
In this blog, we’ll look at some key pain points for Cisco firewall management.
1. Complex NAT and ACL Rules
Traditionally, Cisco firewall management has meant learning a myriad of NAT syntactic variations like Static NAT, Static NAT with Port Translation, One-to-Many Static NAT, Dynamic NAT, Dynamic PAT, Identity NAT, NAT in Transparent Mode, NAT in Routed Mode, Twice NAT, etc.—you get the idea.
Access-lists (ACLs) also come in different forms, including standard and extended, as well as named and numbered. Standard access-lists are defined to permit or deny based on the source IP address of the packet. Extended access-lists define both source and destination IP addresses. Extended access-lists can also be defined to permit or deny packets based on TCP, UDP, or ICMP protocol types and the packet’s destination port number.
It’s also important to note that on Cisco PIX, ASA (pre 8.3), and FWSM, ACL rules are defined to the mapped (translated) IP addresses. Starting with Cisco ASA 8.3, the rules are defined on actual IP addresses (untranslated).
2. Intricate Data Analysis
To isolate unused rules, rule usage data must be analyzed. In Cisco devices, usage analysis is based on access-list hit counts. Therefore, no log records from syslog are collected for this purpose. To isolate unused rules/objects, you must first identify those objects with least/no hits and then remove or edit as required.
3. CLI-based Configuration Management
Cisco device configurations are generally CLI-centric and viewed via SSH/Telnet. This can make for difficult and complicated management, especially when dealing with a large number of complex rulesets. Human errors/typos are quite common when dealing with the command line interface, which can lead to security holes being inadvertently opened or a service being rendered unreachable. Plus, the limited view provided by the CLI does not deliver a complete picture of how rule/objects are related. And, even though the configuration file can be downloaded as a text file for further investigation, management and troubleshooting remain difficult.
Managing Cisco firewalls can be a daunting task, but it doesn’t have to be. The right firewall management tool can make all the difference.
Security admins need a tool in which they can automatically analyze firewall configurations and quickly identify security gaps, as well as view ACL and NAT information in an easy-to-understand manner. But it doesn’t stop there. They also need a way to streamline change management, optimize performance, and ensure compliance is maintained.
The right tool should enable security admins to:
- Ensure regular rule/object cleanup tasks that optimize performance of the firewall.
- Generate analysis reports for a selected firewall and identify rules/objects that should be removed or revised
- Create new configuration files or clean-up scripts that can be edited and applied as necessary.
- Troubleshoot issues by using packet tracing methods to trace the path of a specific packet that is currently being blocked or dropped.
- Avoid errors in rulebases by testing and evaluating the effect of rule changes before applying them to the production environment.
- Utilize a user interface (UI) that displays configuration files in an intuitive way for convenient analysis and troubleshooting.
SolarWinds Firewall Security Manager (FSM) can help simplify firewall management and make the security admin's job easier with its powerful automation and out-of-the-box support for Cisco and other leading firewall vendors and devices.