While firewalls should be used to help with the basics of network security -- visibility and control -- quick configuration fixes and a lack of communication regarding these changes can quickly get enterprises into a bind. Firewall change management and
I recently consulted at a large enterprise where the IT staff made a few out-of-band changes to a critical firewall that subsequently failed. Both the network firewall and the company's e-commerce platform were down for an extended period of time. As a result, the business experienced tremendous monetary loss not only from systems being down but also from hiring outside consultants for over a week to determine what went wrong. We ultimately discovered that the company didn’t have the proper change management policies, processes and technologies in place. Ironically, the company was well into an ITIL adoption project that would eventually help it avoid this situation.
Enforcing firewall change management procedures helps companies avoid manual changes that lead to errors and also results in better communications among staff regarding the state of the network. Once IT teams have a constantly updated network status they more easily meet ever-changing compliance regulations.
Firewall change management and automated management
A solid firewall change management process is not one that's just on paper to appease the auditors, but rather real procedures that everyone involved must follow. The term “change management” seems complicated, but it doesn’t have to be. Change management merely formalizes the way we work, and a way to document the who, what, when, why and how of all firewall changes. What's more, there are tools that automate day-to-day firewall management tasks and link these changes and procedures so that they are recorded as part of the change management plan. In fact, automated technologies can help bridge the gap between change management processes and what’s really taking place. They enhance accuracy and remove people from the equation to a great extent. The outcome is greater efficiency and lowered business risk.
What to consider in firewall management tools
So, the question becomes: Should you go with a third-party firewall management and auditing solution like Tufin or AlgoSec, or rely on the native controls in your existing systems? Budget will be a factor, as will network complexity. If you decide to invest in a tool, here are some considerations:
- How does the tool track firewall policy changes?
- Does the solution provide what-if analysis? (i.e., If you make X or Y changes, what will happen?)
- How does the solution ensure changes are implemented while properly taking into account business continuity?
- Can the solution support all of your existing platforms/vendors?
- How can the solution help audit (in real time) the current level of risk and compliance?
- How can the solution help with separation of duties, audit logging and overall accountability?
Bringing sustainable and repeatable processes full circle will require both upfront and ongoing investments, but they can pay for themselves by allowing you to focus on more strategic and analytical issues rather than getting caught up in the network security minutiae.
If you automate firewall management properly there will be no more fire drills or taking the entire network down when a firewall configuration change goes awry. Furthermore, audits can be streamlined and accurate changes can take place more quickly.
About the author
Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic, LLC. With over 22 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored eight books on information security including The Practical Guide to HIPAA Privacy and Security Compliance and the newly-updated Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow in on Twitter at @kevinbeaver.
This was first published in March 2011