Firewall management today and tomorrow
What features are real game changers when it comes to firewall management, and how far along is the market in the development cycle?
A brief history of firewall management
Firewall eulogies are premature. Firewalls have been at the cornerstone of network security for almost 20 years and will probably remain so until a paradigm shift occurs. The first commercial firewall, SEAL, was introduced in the early 90’s and was managed through the vi text editor. The Visas firewall, by Bob Braden, was the first firewall with a GUI. Check Point’s Firewall-1 3.0 administration tool (shown below) demonstrates several important concepts including a rule base with an object-level abstraction and support of one policy across many firewalls.
This was 1996, 13 years ago. It’s amazing to see how similar it is to contemporary firewall administration tools; it seems that very little progress has been made. In contrast, core firewall capabilities have been significantly extended. Starting off as simple packet filters, they quickly merged with routers to perform NAT and went on to do IPSEC VPNs, content and URL filtering, SSL VPNs, antivirus and antispam. Recently, firewalls have merged with IPS and started to provide true application-level filtering and user access.
Firewall management tools were extended in parallel to provide configuration utilities for these new capabilities. But there was no conceptual breakthrough. Firewall management functionality simply followed the firewall evolution.
Automating repetitive tasks
Why haven’t the firewall vendors’ management tools evolved in any significant way? Perhaps it’s because the existing tools are sufficient. To answer this question let’s examine what really needs to be managed on a firewall.
In an ideal world, a firewall would be self-maintained, just like traffic lights throughout the city. Set it up once and forget about it, right? Unfortunately, no. Unlike streets, networks are perpetually changing – quickly. Security threats are constantly evolving and so are business requirements. For example, networks are added, servers are relocated, new services are required, users need access to additional services, etc. Firewall administrators are burdened with the monumental task of adapting firewalls to cope with the constant changes.
With today’s management tools, each change requires a lot of repetitive work that needs to be done just right in order to avoid threats to security or business continuity. We don’t expect firewalls to be self maintained but we sure would like the management tools to automate repetitive tasks as much as possible.
Security vs. business continuity
Before looking into the future of firewall management I’d like to point out another weakness of today’s management tools. To do that, let’s recall what a firewall actually does. It’s common knowledge that firewalls provide network security by keeping the bad guys out. Firewall policies are designed to stop malicious traffic and allow all other traffic or, according to the white list approach, allow required traffic only.
In any case, firewalls must allow business to continue while providing security. It’s a fine balance between two conflicting forces: patching a security hole could disrupt a business-critical service while allowing another application to communicate could pose a security hazard. Firewalls have always been conceived as security devices and managed by security administrators. But they also enable business connectivity. For example, when a user needs mail access, that’s a matter of business connectivity – not security. If he has problems with mail access, it’s a question of business continuity. But this business enablement function of firewall policies has been treated as a side-effect rather than something inherently critical. This fact is apparent in the corresponding inadequacy of today’s management tools.
But it goes much further. Organizations have developed skewed business structures and processes to match this outdated perception. Security administrators are frequently responsible for business connectivity and continuity. Ideally, security should be managed by security experts and business systems by systems experts. It is ridiculous to expect security administrators to handle both, but today’s firewall management tools just don’t support this separation of roles.
The future of firewall policy management
To summarize, we’ve seen two areas that need improvement in firewall management systems: automation of repetitive tasks and the ability to separate and enhance the handling of the business aspects of security. Here’s my vision of tomorrow’s firewall management system:
- The process starts with application and project owners submitting access requests.
- A technical person adjusts the requests and translates them to low-level implementation details using automatic design tools.
- A security person approves or denies the request based on automatic risk analysis and a compliance report.
- Requests are implemented directly or queued for a service window.
- Business ownership is maintained throughout a rule’s lifecycle and when it expires or becomes unused, the original owner is contacted.
- This workflow can be customized according to the organization’s processes, and the SLA is enforced end-to-end.
- Everything is archived for accountability and auditing.
- Business continuity rules are defined and enforced to eliminate downtime.
- Application owners have a console to analyze connectivity issues and, in most cases, realize that they are unrelated to the firewall and network – to stop the drain on firewall administrators’ time.
- Managers can get a quick understanding of the big picture through a dashboard with graphs, statistics and drilldowns.
What do we gain from a firewall management system like this? Well, once the process is automated, it is faster – we save both time and resources. Automation also helps to reduce mistakes, thereby improving service quality. Security personnel is freed up to think about security and architecture and so security is enhanced. Application owners get their own management and monitoring console. Managers enjoy better visibility and control over what’s going on and security engineers have fewer emergencies and leave the office at 5pm sharp – and they don’t receive text messages later on that evening.
Summary
If you are wondering how long it will take for something like this to become available, you may be surprised. This is not science fiction; it’s here now, not through the firewall vendors but through independent vendors specializing in firewall and network management systems for the enterprise environment.
The technology is still evolving and there are many improvements on the way, but systems like this are already available and in production today. This could well be the long anticipated step forward for firewall management. Enterprises who adopt this new methodology early on will gain an edge over their competitors and participate in shaping both the process and the technology.