Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/30/2009
03:04 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Tools Emerge To Ease Enterprise Fear Of Firewall Swapping

Replacing one vendor's firewall with another risks network disruption and could opens security holes, leaving many organizations to stick with the same firewall maker

Many organizations are loathe to swap out one vendor's firewall for another because the changeover could disrupt the network and open new security holes. It's less risky to stick with a single firewall vendor, so often that's just what they do.

"There is definitely an over-reluctance to changing firewall vendors due to fear of complexity of translating rules from one product to another," says John Pescatore, vice president and research fellow with Gartner. "Actually, a lot of the fear is just of touching the firewall policy at all, as many have added rules over five- to 10 years, and [organizations] aren't actually even sure what policy is running anymore."

Pescatore says Gartner's clients are typically more afraid of disrupting business operations than of inadvertently introducing new security holes with the new policies they implement. "But we tell them they should be worried: A lot of firewall policies have rules that actually never get triggered and lots of exceptions baked in that no one remembers are there," he says.

Moving from one vendor's firewall to another involves major hurdles. First, different vendors run different firewall operating systems, so a policy written for one vendor may not translate to another. A rule from one vendor's firewall may not even apply to another one, and often the migration process requires starting all over from scratch, says Chris Odell, information security engineer for managed security services provider Solutionary, which performs such tasks for its services customers.

"First, you have to figure out their firewall and evaluate all of the rules to make sure those rules are even applicable to the new firewall," Odell says. "Oftentimes you do reviews and find tons of stuff that doesn't need to be in there -- like a lot of ACLs [access control lists] that are not applied to any of the interfaces," so it makes sense to clean up the old set of rules before rebuilding new ones for a new router, he says.

Even as security vendors try to lure new customers with incentives in this tight economy, it's often just too costly resource-wise for an enterprise itself to perform all of the manual configuration, testing, and other steps involved in changing firewall vendors, experts say.

A combination of tougher PCI enforcement for auditors and organizations' need for expanding firewall power while simplifying the process of configuring firewalls has driven firewall management vendors to offer better tools to help organizations with the painstaking process of rebuilding firewall rules from one platform to another.

Now that PCI has cracked down and is auditing the auditors, auditors can no longer just ask if a company is hardening its firewall or has set up a DMZ, says Courtlend Little, a service and solutions architect for Solutionary. "How does an auditor verify that? It's impossible to know if [an organization] is compliant unless they have a tool," he says.

Vendors like AlgoSec, RedSeal, SecurePassage, and Tufin offer tools that assist in the migration from one firewall technology to another, and other vendors are readying new features for their products to help ease the pain of changing firewall vendors. Athena Security on Monday will release a plug-in for its FirePAC firewall management tool that helps preserve existing firewall policies from one vendor's platform to another, and verifies them. Also in May, Matasano Security will add a free request and approval workflow function to its Playbook firewall management tool that vets policy changes before they are applied to a firewall, and provides an audit trail of the changes so that when a company ports to a new firewall, it can determine the original requirement for the rule.

"It would help them understand what the original requirement for the rule was so they can ensure they fulfill it when they port it over, and will help them remove rules they don't really need anymore," says Max Caceres, director of research and development for Matasano.

Athena Security's new plug-in for its FirePAC product assesses and validates the conversion of firewall rules before they go operational, identifying any gaps or problems and offering solutions. The new tool can drill down to how Network Address Translation works with the firewall ACLs, for instance, says Anjali Gurnani, vice president of business development for Athena Security.

"It compares the original version [of the firewall] to the target version to identify any gaps that are high priority," Gurnani says. Firewall vendors Cisco, Check Point, and Juniper all have some policy migration tools, but they don't provide a way to validate changes, she says. "None look at the comprehensive behavior of the firewall and all of the policies," she says.

Gartner's Pescatore says it helps to get help from the firewall vendors when changing firewall brands. "We tell Gartner clients to try to negotiate free policy-conversion service into any firewall deal when they are switching," Gartner's Pescatore says. "And conversion complexity should only be a major impediment when they have large numbers -- more than a dozen or so -- of different firewall policies out there."

Firewall migration tools today that help with rules/policy conversion aren't foolproof, either, says Arif Faiz, director of network security for FishNet Security, an MSSP. "There is a lot of manual oversight involved, and the firewall features such as AV [antivirus] and content filtering of one vendor might not be fully supported by the other," Faiz says. That's where the manual process comes in.

FishNet's professional services group runs FirePAC in its client engagements, and is looking to the new plug-in -- which is priced at $1,000 per firewall for licensed FirePAC users -- to help them analyze firewall rule, and to prevent misconfiguration of firewalls. "The firewall security policy can be checked across multiple vendors [and] allows for 'before' and 'after' health checks," Faiz says.

Faiz says one of the biggest problems with firewall migration, though, is that many organizations just don't regularly audit their firewalls. "There is no process built in the vendor migration tools to account for unused objects/resources and rules," he says. "It is imperative to clean up the rulebase before migration."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13611
PUBLISHED: 2019-07-16
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.