10 Replies Latest reply on Nov 25, 2013 6:06 PM by bradreyes83

    The Firewall Management Landscape

    Brandon Carroll

      Firewall management is one of those areas that I''ve never been happy with because I've yet to met a firewall management software that covered all the areas I expected.   The standard Firewall Managers were always clunky, slow, java, and tended tp waste more of my time trying trying to overcome their caveats than anything.   I think back to the days when I used Cisco Works VMS (VPN/ Security Management Solution) and it was horrible.  So slow that I could honestly configure VPN and firewall policy faster by cutting and pasting from one firewall to another.  Change management was difficult, especially if you had to submit jobs and have them approved.

       

      Cisco Security Manager made life a lot easier.  Now Cisco Prime is on the scene and it's obvious that Cisco has put some money into improving their NMS.  Looking at Solarwinds FSM I see similarities in the interface as compared to Cisco ASDM.  Security Rules are the equivilant to Access-Control Lists.  NAT Rules are pretty self explanatory.  In fact, most of the tabs are logical in what they are named and what they do.

       

      Solarwinds FSM seems to be very responsive from what I've seen.  The Security Audit reminds me of the security audit that I could do in Cisco SDM on the routers, but FSM is multi-vendor and that's appealing.  Another nice feature is the change summary, which I have used a few times.

       

      I know there are other firewall management packages out there.  If you were to walk into a mixed vendor environment with no solution in place and have the freedom to drop in the best of the best, what would it be and why?  What's still missing and who could provide those features in the future?

        • Re: The Firewall Management Landscape
          wluther

          I would vote to use the most familiar tools with the most simple options/features, at least until I was able to get a clue as to what happened that made me the new firewall guy...

           

          Good old copy/paste has worked great for me, with a decent little notepad and a google drive folder... but again, I am not here to fire my walls...

          • Re: The Firewall Management Landscape
            wbrown

            I've used CiscoWorks VMS for managing CSA and IDS updates, but not for firewall policies.  Nor have I used any other package for firewall management.  However, I'm at the point where I know I need something and I'm trying to figure out what I need.

            I absolutely hate ASDM for configuration.  It is handy for ad-hoc monitoring.

            Our InfoSec group briefly looked at RedSeal and it looked decent but the price tag was prohibitive.

            Considered downloading FSM but I can't seem to get a spare server to load it on.

             

            When I walk into an environment the first thing I want isn't a firewall management package, but rather a network diagram, or at least a list of what firewalls are where.  From there I can manually make a map and figure out what's going on.

             

            I think no matter what product you choose that there's still going to be some issue with adapting configs to the product.

            The biggest issue I envision is simply a standard for referencing objects in the policy rules.  Here's why:

            The policies for an installation of 1 or 2 firewalls is relatively easy to manage.  My current environment includes over a dozen perimeter firewall pairs and slightly less internal pairs.  When I had a single data center the rules that referenced WebApp#1 existed in a single firewall, and allowed traffic from well defined addresses.

            Then another data center is introduced (and another firewall pair) and a failover installation exists for WebApp#1. Ok, this is still manageable.

            Now another entity is purchased and is to be integrated and pass through another firewall.  Their addressing may or may not be compatible.  What address does that entity use to reach WebApp#1?    Do I put multiple IPs in the same object group in the same firewall?  Which firewalls really need to be modified?

            And another entity gets purchased....

            WebApp#1 gets replaced by WebApp#2.  Which objects need to be changed in which firewalls? When? Do I need different rules?

            .....

            Multiply that by who-knows how many different apps.

            I definitely need something to help keep track of this and ensure policies/objects are consistent from firewall to firewall.

             

            My practice at this time is to use an object naming standard that references the app, the data center it is in, the zone it is in, and whether the referenced IP is native or translated.  I also do everything I can to make sure any given IP is only referenced within the configuration: I don't want objects with different names to reference the same IP.

             

            What do I want out of a firewall management package?

            - Ability to use a common set of objects

            - Hierarchical policies.  Enterprise policy > site policy > segment (DMZ) > application > host.

            - Ability to define policy and the application applies the relevant rules to only the relevant firewalls.  Rules take memory: I don't want firewalls containing rules that are not applicable.

            - Audit objects - flag objects that are not being used.

            - Audit rules - flag rules that will never be matched because the traffic is already matched by a previous rule.

            - Audit HA firmware - ensure all members of cluster or active/standby pair have same firmware and config files on the devices.

            - Change preview before deployment.

            - Visualization of proposed policy changes.

            - Visualization of simulated traffic flow through multiple firewalls (i.e. packet-tracer across multiple firewalls).

            - Role based access (i.e. Auditor, Change Submitter, Change Authorizer, SuperAdmin) for Enterprise, Site, Device.

            - Affordable.

            • Re: The Firewall Management Landscape
              Aaron Denning

              i know here we have the Cisco prime and our firewall guys love it but yes copy/paste and Google are my friends.

              • Re: The Firewall Management Landscape
                syldra

                Half our firewalls are managed by a third party and the other half are EFW Community VMs so not much for that here... I would love to be able to push changes to all my EFW at once though... haven't found a way yet...

                • Re: The Firewall Management Landscape
                  byrona

                  In a multi-vendor environment the first product(s) I would look at would be SolarWinds just because we have had such a good experience with them thus far.  Our good preferred vendors always get the first chance to fail when it comes to choosing new solutions.

                  • Re: The Firewall Management Landscape
                    cahunt

                    We manage all of our Firewalls, and most of them are of the NaBisco Brand. ASDM is all i know when it comes to Firewalls(mostly)... I had a nice chance to be thrown into FW setup for PCI network.

                     

                    Our VPN Box is linux driven and has some FW like features.... the CLI is always more fun than that silly Gui that needs the console install exactly 2 versions behind the FW's code.

                    So ASDM Gets installed a few times for each version needed.

                    • Re: The Firewall Management Landscape
                      jspanitz

                      The problem I have with Cisco is they force you into prime.  We just updated our wireless controllers and the old WCS platform is no longer supported so we are forced to move to prime and at a cost.  Of course I tried to get us to look at other solutions but some of us only know Cisco (even that is questionable) and can't / won't look outside their safety zone.

                       

                      But I digressed.  For firewall management we need a product that is cross platform.  Prime is not.  Similar to Juniper and their new Space platform.  Space is fantastic and is open so others could develop and extend it to none Juniper equipment but that won't happen so we are left with third party management.

                       

                      And and that brings us to companies like Solarwinds and AlgoSec.  I haven't  test driven either solution but one of the things I say that I really liked was the ability to  visually model your connected firewalls and how applying a rule change would affect the other firewalls and traffic.  To me that is a must have.  The other item I think is a must have is the ability to collect usage info on the rules and report back which rules are not used  and suggest which rules can be removed.  But it needs to go deeper and understand next gen firewall application awareness.  I want to know if we are allowing social networks through, then. Exactly which social networks are we using and which are we not and how can I tighten my ruleset to provide better security.  And since we have to report on PCI compliance, I should be able to generate compliance reports from the tool as we

                       

                      I think Solarwinds can get there, we'll just need to see how quickly..

                      • Re: The Firewall Management Landscape
                        Kurt H

                        I would use any firewall management software that would give me the capabilties I am looking for. Of course it would have to fit into our current monitoring and management tools.

                        • Re: The Firewall Management Landscape
                          pandom_

                          Cisco Security Manager for us. We do not have enough to warrant an investment into Cisco Prime. That being said after a while in an environment you learn tools to increase efficiency and augment and work with vendor tools.

                          • Re: The Firewall Management Landscape
                            bradreyes83
                            You should really consider looking at some of the next generation firewall such as Checkpoint or Palo Alto.  Cisco ASAs are a thing of the past.