FSM is a new product, now part of the SolarWinds portfolio, which can perform analysis and reporting around security rules that are in your firewall and router configurations.
Even though the product is called “Firewall Security Manager”, it is also very much applicable to the security rules of your routers.
So think of “Firewall” as the function and not the device.
FSM has tremendous value, not only to perform firewall - the device - config analysis, but also does a great job looking at your router’s firewalling features such as ACLs and NATs…
FSM supports the following devices:
• Cisco Security Appliances: PIX, ASA, FWSM, ASA 8.3
• Cisco IOS routers: Version 12.0 to 12.14, excluding X* Series
• Juniper firewalls: Netscreen, SSG, ISG
• Check PointTM products: SmartCenter NG/NGX, Security Management R70
• Check PointTM platforms: SecurePlatform, Check Point IPSO (formerly Nokia), Crossbeam, Linux, Solaris
The product can be run standalone, or integrated with SolarWinds Network Configuration Manager (NCM). More on this integration here.
It’s worth mentioning that FSM is a feature rich product, and this blog post covers only the main features of the product.
But before we look at those, let’s talk first about whether it’s for you.
If you are more or less involved in firewalling, FSM is for you, but here is more detail, depending on what situations fits you best:
- I already own NCM, so why do I need FSM?
- Firewalling and security really are not my forte, how can FSM help?
- Security is my bag already, what does FSM buy me?
- You spend time around security statements in your configs, and you find them very hard to read, making them difficult to understand and risky to modify.
- Security statements in your configs have a long history and/or are modified by several people.
As a result, they are convoluted, redundant and sometimes possibly conflicting.
You need to clean and simplify them, without impacting the traffic.
- You need security reports to advise you on the current security level of your configs and advise you on how to improve, above and beyond the compliance checks of NCM.
- NCM is great for helping you roll-out an ACL or NAT change, but does not understand the effect that this change will have on the traffic.
In addition, the traffic on an end-to-end path is impacted by the combined effect of multiple firewalls and routers, and you need a tool that helps predicting the impact that one or more combined changes can have, from an end-to-end point of view.
- You need expert advice on firewalls and routers security so you don’t have to spend time becoming proficient in standards such as NSA, NIST, SANS or PCI or creating firewall compliance checks completely from scratch.
- You need a safe environment to experiment your changes, try several scenarios, and predict their end-to-end effect BEFORE pushing them live.
When you are satisfied with the predicted behavior, you want assistance in implementing these changes, and be able to roll back easily in case of problem.
- Even though you are proficient in this area, security is a complex domain and you’d like a tool that could help double check you work before your deploy to production.
- Auditors and/or security meetings require frequent reports on your current security levels and creating these report manually is an arduous task you’d love to automate.
- Your network is complex and you find it difficult to predict the effect of a change in firewall security rules, from an end-to-end perspective.
- User requests are driving you to make frequent changes to your security objects and you need a simple but effective change management process, allowing your users to request changes via a simple Web interface, which you can then review, implement, test and deploy.
Most of the time, before you do anything, you need to deal with already existing security rules.
A lot of security rules.
So readability is the first thing FSM will help you with.
With FSM, your visibility will upgrade from this type of view (basically text file):
Notice the different tabs, which give you clear visibility on your ACLs (Security Rules), NAT Rules, Network Objects…
And if you are still emotionally attached to the long, disorganized and sometimes messy blocs of text in your configs, no worries, they are still there in the Native Configs tab:
For more, take a look at the on line demo or, as always with SolarWinds product you can download a free evaluation copy here.
Ok, this is cool, but what about the “expertise”, that was discussed at the beginning?
Read the sections below.
Let’s take a “simple” example to illustrate how FSM can help in this area:
Unless you are doing this 8h per day, it might not jump at you that there are redundant and therefore useless rules in this extract of a PIX firewall config.
Before your head hurts, let’s see below what the FSM Cleanup report advises you to do.
Line 106 is identified as redundant to preceding rule 93, which allows FTP access from all addresses.
Clearly rule 93 will match any packet that rule 106 might match, and so rule 106 never gets triggered.
Consequently it does not contribute to the behavior of the firewall and can be removed.
Was too easy? Let’s take a closer look at line 83 and its interaction with lines 80 and 81.
Are you noticing something? FSM does!
FSM’s Cleanup report tells you that 83 is shadowed by 80 and 81.
Rule 83 is allowing a group of mail services.
It is identified as shadowed by the combination of the two preceding rules 80 and 81. These two rules will match anything that rule 83 might match and therefore rule 83 does not contribute to the behavior of the firewall and is a candidate for being removed.
This seems like a redundancy case, but rule 83 is actually marked as a "shadowed" rather than "redundant" and this means that the permit action at rule 83 conflicts with the deny actions of rules 80 and 81.
This indicates that there be some intention on the part of the firewall administrator that is not being carried out here.
It turns out that rules 80 and 81 were inserted for a debugging purpose and that purpose is now long past.
The correct action here will be to remove rules 80 and 81, thus restoring the “deny” at rule 83.
Now that your configurations are cleaned-up and optimized, are they safe? Are there security holes in them?
This is what the FSM Audit report will tell you.
For example, check C31 indicates that mail services were allowed from the Internet to the internal network.
Since the mail server is on the DMZ, it is disturbing to see mail services allowed into the internal network.
Click Details to understand more about what rules create the C31 security risk.
To find out even more about why the combination of these security and transaltion rules create the risk, you can click the rule numbers and understand the full detail, and more importantly, teh recommendation.
FSM has many features in this category and it would be too long to describe them all here, so let’s just briefly describe a few:
- Configuration Diffs highlights all changes in subsequent versions of your configs (FSM keeps the history)
- Change Advisor has a web interface that allows your network users to submit config change requests. These requests can then be reviewed by network engineers/firewall administrators, implemented, tested before they go live and then, be pushed in production.
- You even have a Change Modeling environment, that makes copies of your configs in a special context called a “session”, which you can use to prototype any number of changes, without touching your master versions of the configs (those that currently run in the devices).
But let’s focus a bit more on one of the most spectacular change management features of FSM: Packet Tracer!
There are 2 main use cases for packet tracer:
- You are making a change in your security rules, and you want to be sure that you are not inadvertently breaking connectivity between 2 points of your network.
Have your configs reviewed by FSM, and get a prediction of whether or not your config changes will do something wrong, before they go in production.
- Somebody comes to you and asks for help figuring-out why a portion of your network can’t exchange some type of traffic with another area.
Have FSM look at the end-to-end path between these 2 sites and tell you what happens.
Now that you understand the use cases: here is the only input you need to give Packet Tracer before it can do its magic:
The result is an assessment of a) whether or not the packets will cross the network between the 2 specified addresses and b) if not: it will tell you why and where they are blocked.
Basically FSM’s Packet Tracer understands how security & translation rules, as well as routing tables and VPNs interact with your packets, and predict connectivity (or lack of).
And it does this, without injecting test packets on the network or sniffing the network.
- Less config mistakes.
Ever heard the statistic that 80% of network faults were not HW issues but config changes not properly controlled and understood? Here is a product that will help you in this regards…
- Faster troubleshooting.
Hopefully you got the point: FSM is a very feature rich product and brings you tons of expertise in the firewalling area (firewall and routers).
It has many other features that we’ll discuss in future blog posts.
In the meantime, you can download a free eval of FSM here, and see by yourself!
Like always with SolarWinds products, it installs super-fast and provides value in less than 1 hour.
If you have read the above, it should be obvious that FSM is a very natural extension of SolarWinds Network Configuration Manager (NCM).
The good news is: they are already integrated (NCM v7.1 recommended)!
- FSM can get device configurations directly from NCM’s database. No need to duplicate those configs in 2 separate products.
- FSM can execute changes (e.g. cleanup scripts) on devices via NCM’s scripting feature. You maintain your device credentials in only one product and not 2.
Install both and you really have a best of breed platform to rely on, as far as managing your firewall and router configurations!
Once installed, it takes just a few clicks, before you can get tremendous value from FSM.
Download the FSM evaluation copy here, you can do all this in less than 30 minutes.
Once the FSM client is started, click on this icon
Then select the NCM import option, give the NCM URL and admin credential, select your NCM nodes from the list below (don't select those that have type=unknown, and prefer those that have ACLs in their configs)
Hit Finish and you will see your FSM Inventory tab (left panel) populated with your firewall and router devices.
Their configs are now in FSM, you are ready to start.
The best way to see what the product can do is eirther to explore or look at the Online demo.
Note that in terms of adjacencies with other SolarWinds products, FSM is also very close to LEM, the Log and Event Manager, so you might be interested in taking a look at LEM too!