While firewalls are widely deployed in more than 97 percent of enterprises today, firewall rulebases have grown at an alarming rate. The knowledge surrounding legacy rules dissipates over time, leaving enterprises with too many risky rules that remain unjustified.
At heart, the system tracks rules based on what the rule is doing, rather than its line number in the configuration (which changes every time new rules are added or deleted). This is perhaps the biggest reason why documentation is oftentimes inconsistent and incomplete. Performing a textual comparison of the rule before and after it has been modified does not capture the full story, but that is the extent to what is available from most change management systems.
One of the ABC’s of firewall rule management is to make sure that every rule that pokes a hole in the firewall’s security has been justified for a legitimate business purpose. For example, an average Cisco rulebase has an average of 1,325 rules according to researchers from the University of Notre Dame. Multiply the number of rules in a single firewall across enterprises with 10, 50, to more than 100 firewalls and the issue of frequent documentation is both a time consuming and daunting task that is easily trumped by the administrator’s need to resolve more pressing issues, such as troubleshooting network outages.
“Our consulting partners tell us that less than 20 percent of the clients they audit can demonstrate up-to date and complete documentation”, says Anjali Gurnani, vice president of business development, Athena Security. “It is scary to think that the original reason why certain rules are providing access to critical network systems and confidential data may no longer be known.”
For auditors, especially PCI QSAs, reviewing the documentation for each firewall rule is an ideal place to identify lax security controls, general rulebase neglect and other red flags that trigger the need for further investigation. For companies that wish to correct this deficiency in their security program, Athena’s Rule Tracker offers an easy way to set things right. Unlike elaborate systems that involve months of process re-alignment, Athena’s Rule Tracker recognizes that teams collaborate far more easily with spreadsheets. By using a spreadsheet approach and built-in intelligence to make the system highly user-friendly, Athena’s Rule Tracker is flexible enough to be used in any change process.
Rule Tracker compares two versions of a configuration and immediately identifies what changed so users can add missing documentation which is then automatically retained and available for reporting.
What Athena accomplishes for organizations is a convenient and simple way to certify what access is acceptable throughout the rule’s lifecycle. The benefits of using the Rule Tracker to facilitate documentation are:
* Device connections are not required to identify rule changes * Business justification history is retained in-system, so users can isolate missing information and add it incrementally * Users can generate spreadsheet reports, share with other stakeholders, and re-import documentation changes to the database * Support for mixed vendor network environments including Cisco, Check Point and Netscreen firewalls
Athena is offering the Rule Tracker to end users looking to comply with PCI DSS 1.1.5 and NERC R2.2, or for internal documentation and security reporting purposes. While the system is designed to keep documentation current on a perpetual basis, consultants will also find the tool a handy way to bring clients up-to-date on regularly scheduled intervals.
The Athena Firewall Rule Tracker is available immediately as a standalone tool and also as an add-on solution to its FirePAC product. Pricing starts at $250/firewall. For more information, please see http://www.athenasecurity.net/index.html.
About Athena Security
Athena offers infrastructure analysis tools that identify the precise relationship between firewall rules and network services in a single device or across a complex network. With a comprehensive focus on configuration data, Athena helps network and security engineers perform a "what-if" analysis that reduces the reliance on diagnostics and validation by ad.hoc testing. Over 300 companies turn to Athena products, Athena FirePAC and Athena Verify, for standardized and consistent automation and intelligence to reduce the time and effort required for policy management on network security devices. For more information see http://www.athenasecurity.net.
Anjali Gurnani Athena Security Phone: 630-629-0600 x21 [email protected]
Dan Chmielewski Madison Alexander PR for Athena Security Phone: 714-832-8716 [email protected]