Network path analysis tools like traceroute are effective at examining how individual network devices affect the...
progress of packets across a network, but they rarely help engineers understand the role that network security devices play.
Athena Security's new PathFinder network path analysis product offers such visibility into security infrastructure. Network engineers can upload configuration data of firewalls, switches and routers into the tool, which generates an offline, virtual model of a network. They can then simulate packet transmission through this network model, and PathFinder predicts how device configurations and firewall rules will affect packet flows.
After segmenting the DMZ of the network at convenience store chain Kwik Trip, LAN and WAN administrator Chuck Serauskas discovered that certain types of traffic were getting hung up in the segments. He used PathFinder to troubleshoot the problem.
"Since we got [PathFinder] we've been using it to troubleshoot… how the path runs through our ASA [Cisco Adaptive Security Appliance]," he said. "For PCI we've recently split our DMZ into four different DMZs. When we first set it up, we didn't have the routing exactly right through it, and our VMware guy was having some issues with some of the servers that we had in the DMZ."
With PathFinder's offline network path analysis features, Serauskas used his device configurations to create a model of his network and sent simulated packets through the DMZ. He saw that the ASA was intercepting certain packets as they passed through it. He examined the rules on the ASA and discovered that some entries were sending the packets through an older path that had gone unused before segmentation.
"We just had to change the path on the DMZ — make the proper changes on the firewall for it — and once we made the changes to the config, we ran a new test [in PathFinder]," he said. "Once we knew the IP that [the VMware admin] was trying to get through had traveled correctly, we made the change [in production].
Network path analysis tools rarely consider security
Network engineers have many tools at their disposal for network traffic analysis, from simple utilities like traceroute to larger systems management products with network path analysis capabilities, such as Opnet and Compuware. However, most of these tools concentrate on network devices and hosts— not network security devices.
"I've heard plenty of war stories where a firewall rule change ended up creating a performance problem for an application. It's not normally a place where you look for a performance problem, but it can have an impact,” said Jim Frey, research director for network management at Enterprise Management Associates.
In some IT organizations, the admins who use network traffic analysis tools and network path analysis tools lack fluency in firewall rules and settings, so a tool that can provide a visual model of a firewall's effect on network paths can be handy.
"Firewall rules get lengthy, so to be able to provide some visual representation of how our firewall works is beneficial to those who don't live in firewall code every day," said Richard Barretto, senior information security analyst with the Healthcare Government Billings Solution Group at banking technology provider FIS Global.
Barretto recently purchased PathFinder and FirePAC, Athena's firewall management product. He acquired the tools in order to improve his organization's firewall auditing processes, but he also recognizes PathFinder's potential as a network traffic analysis and troubleshooting tool.
"You can actually troubleshoot certain traffic that is going from one source to a destination, and based on rules settings figure out where traffic might stop or if there are any gaps," he said.
Finding mistakes with network path analysis
PathFinder is also useful for discovering gaps in network security that allow packets to go where they shouldn't.
"When we look over a client's network, we always assume there is going to be some aspect of network security that will fail, and the bad guy will get into some point of the network if he tries hard enough." said Larry Rosen, security analyst with information security services firm Jacadis. "With a tool like PathFinder, we can look and say if someone goes in from this level, where could they go? [We use it] to try to analyze threats that a particular hole will open on the network. So [our clients] can tighten up their rules if they need to."
Many companies lack a full-time firewall manager, and non-specialists will often introduce ad hoc rules to a firewall while testing a new application on a network, Rosen said. Then they forget to remove that rule after the test is complete. That rule change can potentially open up a dangerous vulnerability. A network traffic analysis tool with good visualization features can point a network to such a problem quickly."
Two other firewall lifecycle management vendors, Skybox Security and RedSeal Systems, have network path analysis capabilities similar to Athena PathFinder, but they are part of larger product suites, whereas PathFinder is a standalone product that network engineers without direct control over firewall infrastructure could use for troubleshooting, Rosen said.
"In fact, network engineers could introduce PathFinder into an overall change management process," said Jerod Brennen, senior security analyst at Jacadis. "If you had a router config file or firewall config file that represented a post-change world, you could run queries against certain critical path services to evaluate whether that traffic is going to flow or not."
Let us know what you think about the story; email Shamus McGillicuddy, News Editor.