The Case for Automated Firewall Management
In my blog series on network segmentation, I discussed the need for segmentation, the Zero Trust and positive enforcement model, and why they are critical for improved network security and thwarting current and future threats. Zero Trust and positive enforcement can be summarized as only allowing traffic on the network that has a validated business purpose, limited to the authorized and authenticated source and destination.
Standing up a new service in the Zero Trust/positive enforcement environment is pretty simple, since the requirements of the services and who needs what type of access from where, are usually well defined.
Migrating from traditional network architecture to segmented network architecture is fairly easy. Even implementing a next generation firewall for additional visibility is fairly easy. However, moving from a segmented scenario to Zero Trust and positive enforcement is not that easy, since there are thousands of potential business applications in large organizations, making it very difficult. This is particularly the case with legacy applications that are not properly documented.
Automated firewall management tools, available from most major firewall vendors, can be the solution to the problem. These tools offer a variety of features, but all of the major ones allow migrating to network architecture with Zero Trust and positive enforcement, and rule-based analysis that looks for unused objects and unused or overly permissive rules.
With the help of an automated firewall management tool and next generation firewalls in place as segmentation devices, it is easy to craft rules based on the network’s current traffic. While this approach may allow traffic that should not be permitted, it gives the firewall administrator a baseline, and would block new, unwanted traffic on the network. With this baseline, which can be created in a matter of days, the firewall administrator can work with service owners to document the need for a particular service and determine who is supposed to have access under which circumstances.
Granted, there are limitations to creating this baseline. Since the administrators are relying on logs to document the rule-base, applications that only run monthly, quarterly or even yearly could be missed, depending on how long baseline data collection is allowed to run. However, given the large amount of human hours required to properly secure and migrate to the Zero Trust and positive enforcement model in a large enterprise, it is easy to justify the implementation of firewall management automation.
The benefits outlined above, combined with compliance reporting, change management, and reporting on unused rules and objects, make the case for a firewall automation tool easy; it is simply a requirement.