When it comes to much-discussed IT topics, this one certainly doesn't make the list – but it should. In fact, it's one of the most manually intensive, costly aspects of managing almost any network infrastructure and requires a high level of expertise to get right. Furthermore, make a single mistake and applications get cut off, transactions are not processed, and management consoles quickly go from green to red. The topic here is firewall management.
Though the average firewall holds thousands of rules, more complex environments may hold ten times that many. Because of this complexity, most organizations make what should be a simple firewall change and then hope for the best—that applications and remote offices don't get cut off and that customer transactions continue to flow. Unfortunately, it doesn't matter which firewall vendor you choose — Cisco, Juniper, CheckPoint, Fortinet, IBM/ISS Linux, or Nortel — these management complexities are true across all major systems. It can take, on average, about three hours of testing and analysis to implement a single rule change. Multiply that by three to four regular firewall changes a day for a small company to tens of changes a day for larger enterprises. Then, multiply that by five, 10, or 100 actual firewalls and you begin to see the magnitude of the management burden.
Organizations must put into place several best practices that make it possible to quickly review, model, and test any firewall changes before they're implemented. Unfortunately, that's easier contemplated than put into practice. Why? It's a challenge to keep the network expertise necessary for successful, long-term, sustainable firewall management. Employees naturally shift positions and job roles as they're promoted or leave the company. As they leave, so does their understanding of the complex matrix of firewall rules. And the older your network, the more challenging this becomes as years of firewall rules layer on top of one another.
These challenges are steep enough, even in a company that has managed to put into place good change control procedures. But most companies have different network segments using firewalls from different vendors and they're rushed to make changes to solve the business need of the day. This complexity is amplified by different geographic regions and divisions managing their networks in their own way. Even companies that have good change management procedures in place can find that they've expend too much labor getting there, and made too many mistakes that jeopardize both availability and security.
Here are some best practices that will help streamline your firewall management:
Accurate Topology. The first step is to get a clear picture of your network by creating an accurate representation of your network topology. Though this used to be a challenge, many tools are available now that actually will automate much of this task. As the old business maxim goes, you can't manage what you can't measure. You need to take these snapshots often.
Centralized Rule Management. Whether it's a change management database or a tool designed specifically to manage firewall rules centrally, you need a “single source of truth” where all of your rule sets are stored and managed. This not only simplifies management, but also protects against employees leaving and taking your policy configuration expertise with them. With this repository in place, you'll also be assured that you're implementing all of your firewall policies consistently throughout the organization.
Test Before Implementing. To avert potential business downtime, you should have a rigorous and meticulous change-request and review process in place. Each change must be scrutinized to determine what business applications and processes are dependent on the rule to ensure there's no disruption of service once implemented. Ideally, for this step, you should consider using modeling software that will enable you to test these changes in a staged environment, before they're made on production systems. Some of these modeling systems enable users to translate high-level business policy change requests into device-level instructions that provide a simple representation of complex policies and networks. The goal is to simplify complexity, and strip out human error.
Don't think of these best practices as one-time events. Rather, these must be viewed as a continuous set of processes for network and application discovery and firewall rule management. Because of their complexity, rule changes can't be tested adequately in the lab. When testing a new rule change, your network becomes vulnerable. It's like a balancing act without a safety net, until the rule is verified as correct. Before any proposed network changes are set, each should be tested as realistically as possible, so network administrators can spot potential trouble areas.
Managing and modeling your network firewalls rules in this way brings a tremendous number of benefits. First, by streamlining the time-consuming and often error-prone processes, from an estimated 30 hours a day to a few minutes, small teams now can manage a vast number of firewalls, no matter how many different vendors' products are used in their network. What's more, application availability is improved, and costly mistakes that freeze transactions nearly are eliminated.
When new attacks surface, and they always do, it's much more straightforward to make on-the-fly firewall changes to block or at least mitigate the risk of the attack — without the worry of affecting the network negatively. And with today's rapidly moving threats, organizations no longer have the luxury of days or weeks to push out changes needed to secure applications. These changes must be completed accurately within minutes. The only way to get there is to have these best practices in place, and model and test any and all changes to your firewall rule sets. It will cut your infrastructure management costs dramatically, and even heighten your security along the way.
