Skip to main content

The Case for Automated Firewall Management

November 18, 2014

In my blog series on network segmentation, I discussed the need for segmentation, the Zero Trust and positive enforcement model, and why they are critical for improved network security and thwarting current and future threats. Zero Trust and positive enforcement can be summarized as only allowing traffic on the network that has a validated business purpose, limited to the authorized and authenticated source and destination.

Standing up a new service in the Zero Trust/positive enforcement environment is pretty simple, since the requirements of the services and who needs what type of access from where, are usually well defined.

Migrating from traditional network architecture to segmented network architecture is fairly easy. Even implementing a next generation firewall for additional visibility is fairly easy. However, moving from a segmented scenario to Zero Trust and positive enforcement is not that easy, since there are thousands of potential business applications in large organizations, making it very difficult. This is particularly the case with legacy applications that are not properly documented. 

Automated firewall management tools, available from most major firewall vendors, can be the solution to the problem. These tools offer a variety of features, but all of the major ones allow migrating to network architecture with Zero Trust and positive enforcement, and rule-based analysis that looks for unused objects and unused or overly permissive rules.

With the help of an automated firewall management tool and next generation firewalls in place as segmentation devices, it is easy to craft rules based on the network’s current traffic. While this approach may allow traffic that should not be permitted, it gives the firewall administrator a baseline, and would block new, unwanted traffic on the network. With this baseline, which can be created in a matter of days, the firewall administrator can work with service owners to document the need for a particular service and determine who is supposed to have access under which circumstances. 

Granted, there are limitations to creating this baseline. Since the administrators are relying on logs to document the rule-base, applications that only run monthly, quarterly or even yearly could be missed, depending on how long baseline data collection is allowed to run. However, given the large amount of human hours required to properly secure and migrate to the Zero Trust and positive enforcement model in a large enterprise, it is easy to justify the implementation of firewall management automation.

The benefits outlined above, combined with compliance reporting, change management, and reporting on unused rules and objects, make the case for a firewall automation tool easy; it is simply a requirement.

Related Blogs

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

February 13, 2018

Using Micro-Segmentation to Protect Your Data – Part 2

While micro-segmentation, software-defined networking (SDN) and software-defined data center (SDDC) technology providers VMWare, Cisco and Amazon Web ...

See Details

November 06, 2017

Using Micro-Segmentation to Protect Your Data – Part 1

As software-defined networking (SDN) technologies have become more prevalent and organizational perimeters have become blurred, micro-segmentation is ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

December 05, 2014

Know Your Firewall

Firewalls have been around for decades, and many organizations have had the same firewall technology in place for just as long. Even with the evolutio...

See Details

February 14, 2017

IoT and the Impact on Wireless Networks

Traditionally, wireless networks were considered a luxury, as well as highly unreliable and unsecure. Over the past 10 years, wireless networks have e...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.