When Jim Lepine took over as vice president of information security at transaction audit firm PRGX Global Inc....
three years ago, he found that legacy Cisco PIX firewalls deployed throughout the enterprise were jam-packed with thousands of unnecessary lines of rules and lacked any uniform firewall change management processes. Furthermore, he did not have direct ownership of PRGX's firewalls. That responsibility was held by the network services team.
Firewall management complexity is not uncommon. Many network engineers may like a manual, hands-on approach to firewall management, but over time this approach can get unwieldy. Without the automation and analysis offered with firewall management software, thousands of rules and configuration mistakes can end up hidden within some legacy boxes. But firewall management can become something of a dark art that frustrates network security executives.
"So walking in, one of the first questions I asked was, 'How are we managing changes to these devices?' The blank stares basically told me everything I needed to know," Lepine said.
In order to roll the firewall infrastructure into his overall security operation -- and to help the organization make the difficult shift from Cisco firewalls to Juniper Network’s SRX gateways -- Lepine needed firewall management software that both his security team and the network team could use. He purchased firewall management software from AlgoSec, a specialist in firewall change and configuration management technology. AlgoSec also has firewall analysis capabilities which can demonstrate what effect firewall rules and configurations have on security and network performance.
Firewall management software unearths buried firewall rules
The AlgoSec product gave Lepine and the network engineers instant visibility into the PIX firewalls, and they found that years of manual firewall management had created far too much complexity. In one PIX 535 Lepine said they found 3,000 lines of firewall rules.
"It was horrendous, and 2,000 of them were covered up. This PIX was maybe 10 years old and this rule set was absolutely out of control. Nobody had a clue. The Cisco guys love to do everything in command line," Lepine said.
By working in command line, the engineers had buried thousands of rules, Lepine said. Each time the business asked the networking team to open up a port with the firewall, the engineers would have to sift through hundreds of rules within the command line interface. Over time, the engineers didn't have time to review an ever-expanding rule set while responding to a change request.
"And so over a period of years the network team says, 'OK, I'm going to define this object and I'm going to open up this port and this communication path,' with no regard for what was further down the rule set. Those previous rules end up never getting touched because another rule would fire before something gets there," he said.
The AlgoSec software was able to analyze the 3,000 lines of rules on that one device and determine that 2,000 of them were superfluous. Lepine performed similar firewall rule audits with the rest of the PIX devices across the enterprise.
"So we could run a quick assessment analysis using AlgoSec and it [reports] that these are your rules that are never being fired or used, just useless and chewing up resources on the firewall," he said.
Vendor transition eased by firewall management software
AlgoSec software eased some of the heavy lifting involved when PRGX started replacing its old Cisco PIX firewalls with Juniper SRX gateways last year.
"When this migration started, [the network engineers] talked about engaging a VAR to help them with it," Lepine said. "I said that we have this great tool. Why don't you guys use it? They were surprised that all this information existed."
The firewall management software was able to translate the configuration and rule sets on the PIX boxes over to the SRX boxes with very little effort. Gone were the 3,000 lines of rules within one PIX 535. In its place was a 600 line rule set on the SRX.
"The move from Cisco to Juniper is by no means a simple one, so we were able to give the networking team all the information they needed to make a smooth transition.”
Firewall management software imposes firewall change management and configuration management
Although PRGX's network engineers still have ownership of the company's firewalls, Lepine has used the AlgoSec technology to impose a firewall change management policy. Lepine's team gets an alert every time someone makes a change, and the engineers need to justify each change via the company's change ticketing system.
He has also imposed stricter configuration management policy on the firewalls to meet a more rigorous security policy.
"The network services guys had static IP addresses configured from their homes so they could go in and manage the [firewalls]," Lepine said. "From a corporate policy standpoint, we had determined that using an approved remote access solution to access that firewall from the internal network was the only way that these firewalls can be managed. They had circumvented that process. That was certainly a misconfiguration that we found with the first analysis [with AlgoSec]."
Let us know what you think about the story; email Shamus McGillicuddy, News Editor.