It is clear that enterprises are going through a significant shift at the moment, as trends such as virtualisation, cloud computing and BYOD take hold. As a result, the business leader’s expectation of IT has shifted and the subsequent pressure on the network team to respond to ever-increasing business changes immediately is huge.
What you, as a senior manager, may not realise is that there are also a great number of common but nerve-wracking snags– from PCI compliance to the constant network access requests – that leave your firewall professionals pulling out their hair. The consequences of the daily challenges faced by firewall admins can have significant impact on your business, resulting in downtime, increased costs and harmful security breaches.
If a network isn’t managed effectively, ‘black holes’ can easily appear in the network security policies that are supposed to be protecting confidential data – business, financial, personal, and most significantly customer information. So what are some of the hidden problems your network professional is facing every day?
Among the chief complaints are a result of The Five ‘Cs’:
Complexity
Enterprise organizations today deploy firewalls with as many as tens of thousands of rules. Take this case as example: The midnight Saturday policy update process didn’t go to plan. This meant your firewall pro spent the weekend sorting through a bloated rule base to ascertain why the policy wasn’t updated, to find out it was simply a slight overlap of rule 847 with rule 73. Or possibly the network firewall rule bases have become so long that erroneous, obsolete and overlapping rules have caused unnecessary risk or degraded hardware performance because of redundant processing and hardware drain?
Communication
A lack of communication between network security and application teams can cause the firewall pro a great deal of stress. Let’s say that the firewall changes on Monday didn’t work when the policies were sent on Saturday because someone else’s changes offset the change made. That leaves the firewall pro with no clue as to who made a change, what the change was or, for that matter, why they made it. Added to this, his predecessor had a different way of managing changes that was virtually indecipherable to anyone else, with no reference to the original request or business unit. Making the wrong move could cut off access to a business-critical application like a CRM or SAP.
Compliance
Ensuring your organization complies with regulations can be a headache for any professional in any industry. But for your firewall pro, it’s a particularly bad migraine. To please the auditors, permissive rules (rules with ‘any’ and ‘accept’ or ‘any any accept’) need to be rewritten because security implications mean they are unacceptable. As a result, this means the firewall pro is going to have to set up more specific rules every time.
Change
And of course, all this work is being performed on a very tight time schedule. The firewall pro has got a list as long as his arm and he can’t tell if traffic from a new rule change is already allowed so he adds it to the end of the list…and forgets it. Alarm bells should be ringing by now – this small mistake could open up a gap in your security network and who knows what might get in as a result. You’re probably not helping either – do you really need network access RIGHT now?
Connectivity
Going back to the changing environment of the enterprise, consider how difficult it is for your firewall proto manage access to multiple applications sourced from multiple vendors that now make up complex enterprise IT networks? Application connectivity is the name of this particular beast, and it’s a big one. Your firewall pro probably spends a huge amount of his time deploying new applications, updating access to servers and other components, decommissioning applications, and diagnosing connectivity problems with applications in the network. Lacking automated tools, he has to analyse long lists of access rules on all the multiple firewalls and routers to do this. And most of the application owners don’t ‘speak firewall’ meaning frequent misunderstandings lead to errors, wasted time, and even service disruptions. When things go wrong, both the application and security teams lack visibility into the correlation between the firewall policies and the application, resulting in longer problem resolution times.
The heat is on
Think all that’s bad? Consider this: it’s 3pm and your firewall pro’s manager wants to know if all 50 firewalls (with 1000 rules) from multiple vendors across six countries are in compliance with seven distinct regulations from different countries that contradict each other. He wants to know by the end of the day because there is a board meeting.
It’s time to raise a glass to our noble firewall professional friends. They deal first-hand with the never-ending network complexity, and because their triumphs are measured in disasters avoided, they are rarely, if ever, acknowledged.
So, how can you ease the pressure and eliminate unnecessary downtime, costs and security breaches?
Orchestrate your network operations
It’s no longer enough to rely on standalone firewall management to effectively segment your network without disrupting business operations. You need to ensure that all of your devices work in concert.
Security Policy Orchestration is your most efficient response to the snags caused by the 5 C’s. Through central, automated control of your network operations including routing, NAT, security policies, load-balancing, business applications and change processes, you can finally gain back control of your network and deploy a proactive approach to network security management.
Orchestration enables you to:
– Simplify complexity by automatically modelling your network and identifying weak spots based on your network security policies. It also streamlines problem resolution through firewall rule design and automated provisioning.
– Improve communication among network teams and across organisational siloes by automatically and intelligently translating business connectivity requirements into network terms, and providing a standard platform for collaboration in implementing network security changes.
– Maintain continuous compliance with corporate and industry standards by automatically and regularly comparing changes to your network device configurations against predefined policies, and alerting you to possible infractions.
– Alleviate the pains and pitfalls of change by standardising change processes, automating change implementation, and alerting the security team to dangerous configuration changes before the business is exposed to a security crisis.
Ensure connectivity by monitoring your network, all your network devices, and your applications in real time and alerting you to problems.
So take time-intensive, manual tasks off your firewall pro’s hands – like manually entering command lines for each change, tracking and authorizing changes, cleaning up unused security rules, and preparing for audits – and free up his/her time for more important tasks. You’ll see improved security and better business agility for your business.
Orchestrating network security can return direct cost savings to your business and help ring-fence the security network by addressing the pain points your firewall pro faces every second of every hour, every day.
So before you add more headaches to the daily workload of your hard-working firewall pro, don’t forget the pressure he’s under to eliminate risk from your business. Help him to help you and your business.
About Tufin Technologies
Tufin™ is the leading provider of Security Policy Management solutions that enable companies to cost-effectively manage their firewall, switch and router policies, reduce security and business continuity risks, and ensure Continuous Compliance with regulatory standards. The award-winning Tufin Security Suite provides security teams with powerful automation that slashes the time and costs spent managing change and successfully passing audits. Founded in 2005, Tufin serves more than 1,200 customers in industries from telecom and financial services to energy, transportation and pharmaceuticals. Tufin partners with leading vendors including Check Point, Cisco, Juniper Networks, Palo Alto Networks, Fortinet, F5, Blue Coat, McAfee and BMC Software, and is known for technological innovation and dedicated customer service.
For more information visit www.tufin.com
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.