In theory, your firewall is a magical security concentrator, providing a high-performance gateway between the outside world and your protected network. Ideally, it's an easy-to-control single point of configuration, allowing you to apply multiple best-practice security techniques all in one place. Finally, it should never ever keep you up at night wondering if its config is riddled with holes that may expose your organization to pillage and plunder. The unfortunate reality of network security administration, however, is this: By their very nature, our firewalls are never static monuments of invulnerability.
It's not your fault
Security administrators rarely have the luxury of owning a firewall throughout its lifecycle. They weren't there for configogenesis or during the time the original crisp rules were set in place. Nor were they there during the policy stewardship phase, approving and documenting pages, nor at sunset, when all of the policies were thoroughly re-examined before being migrated into follow-on hardware. Instead, 99% of the time, firewall admins inherited those firewalls from someone else, and they lose sleep because they realize they've inherited a pile of spaghetti: barely human-readable policy repositories that could contain dozens or even hundreds of potential holes.
The firewall is a box of icky human compromise.
The solution involves organizational detective work, business process reverse-engineering, detailed documentation and regular tedious maintenance that are anathema to IT staff. Administrators can deal with that rigmarole if they must, but most would much rather focus on subnetting and spanning tree diameters. The firewall is a box of icky human compromise.
Armies of attackers, executive saboteurs
If you've never managed a firewall, it's easy to assume the task is similar to managing ACLs on any other network device. You have rules that identify traffic, and policies that take action on the traffic fitting those rules. Firewalls then should just be standard network configuration management, not art and magic. If corporate IT policy blocks traffic and users don't like it, refer them to corporate IT policy. More often than not they discover they can work in compliance with policy.
On the other hand, in addition to external threats from armies of skilled -- perhaps even government-authorized -- attackers probing for unknown weaknesses, your external firewalls are also compromised from the inside by a stream of security exception requests. Many originate with execs who have their hearts in the right place: They want to grow the business. But some also come from top managers who possess a frustrating combination of political influence and limited security understanding. They will escalate to your manager and push back until finally, exasperated, you apply that One Special Exception that you'll lose some sleep over. Until you don't. When everyone forgets it's there.
Software to the rescue
Fortunately, the problem is universal, well understood and serious. Combined, those three issues virtually guarantee vendors see an opportunity to build security administration solutions. Firewall security manager products can act as security ninjas in a box, providing policy analysis, config cleanup, policy compliance reporting and even best-practice advice. Some even support traffic simulation and allow you to test what-if scenarios before you apply them. Almost all support the must-have feature of policy commenting.
Being able to store a quick summary of the original business justification, expected longevity and contact information for policies can prevent today's temporary exceptions from becoming tomorrow's permanent vulnerabilities. It allows a team to collaborate. Network security administration is not just paying it forward to the unknown admin to whom you'll pass the firewall. Best of all, you might even become a little less afraid of your firewall when it's all said and done.
About the author: Patrick Hubbard is a head geek and senior technical product marketing manager at SolarWinds with 20 years of technical expertise and IT customer perspective. His networking management experience includes work with campus, data center, HA/DR and storage networks, as well as with VoIP/telepresence and VDI in both Fortune 500 companies and startups in high tech, transportation, financial services and telecom industries.