But with increasing pressures in compliance and budget cuts, the relatively young firewall auditing and management market has been quietly catching fire as a way to get a handle on firewall policies and to automate a traditionally laborious and error-prone process.
"There are tens of thousands of Cisco firewall rules," says Jody Brazil, Secure Passage president and CTO. And that's just for Cisco firewalls -- organizations with a mix of vendors' firewalls have even more challenges tracking policies and how they interact, and the mix of functions in today's firewalls (think IPS) also complicate configuration. "The complexity makes it impossible to understand what you've got deployed in the environment," Brazil says. "People are failing audits."
In most data breach investigations, misconfigured firewalls are found in the victimized network -- as many as 80 percent, according to a newly released report by Forrester Research (PDF) that points to data from PCI auditing firms and credit card brands.
The danger of a misconfigured firewall or the inability to track changes, of course, is a hole left open to the network either because it has been overlooked or because one policy change inadvertently conflicted with another. "Any rogue firewall admin can give himself or herself access," says John Kindervag, a senior analyst with Forrester.
Enterprises, meanwhile, are finding auditors cracking down on firewalls, looking for more detailed information about their policies and change management. The Payment Card Initiative (PCI) Requirement 1.1.6 specifically calls for an audit of firewall and router rules at least every six months. That PCI requirement is the biggest driver for enterprises adopting firewall auditing tools, Kindervag says. They need the tools because they haven't properly maintained and managed their firewall rule sets, which are "now too unwieldy to deal with," he says. Forrester is seeing an increase in the adoption of these tools, he says.
Todd Ferguson, enterprise information security architect for Raymond James, which runs Secure Passage's FireMon auditing tool, says firewall audits used to be just a "checkbox," but no more.
"Auditors are more technical now, and more detailed, looking down to the policy change management information of what went with what, who owns it, when was it [set, etc.]," Ferguson says. "We had ended up with three areas for storing [firewall] policy...It was a challenge to keep them updated and in sync."
Ferguson says the Firemon auditing tool includes a rule-writing scanner that keeps policies "in good condition." He says a workflow function would be helpful, as well, which ties into the "who" in the policy or rule, he says. Secure Passage recently rolled out version 5.0 of its FireMon product, which, among other features, documents the life cycle of a rule and provides a PCI compliance framework.
Firewall auditing tools also give IT and network security teams a way to put some of the policies back into the hands of the business side. "[Before] at the end of the day, my name was on every single firewall policy. But these tools are letting me put the ownership back on the business."
So if the finance group needed a port opened for a Bloomberg feed, then they would have to justify it; once the feed contract was up and they no longer needed access through that port, they would have to justify the firewall rule to keep it opened, he says.
Ruvi Kitov, CEO for Tufin Software Technologies, which he and other ex-Check Point Software engineers founded, says he and his colleagues saw a need for firewall management. "PCI is a huge driver for customers who don't want to make any changes in their [policies] that make them noncompliant," Kitov says. "Another huge driver is automation. If you have a quarterly PCI audit, you can do it in a half an hour [with Tufin's product]."
So far, the big firewall players have stuck with providing management for their own tools, and only Check Point has some firewall auditing features in its Eventia product, according to Forrester. "If a major vendor wants to get into this, they would probably just buy one of the start-ups," Kindervag says. "They probably won't venture very far here, as it will require them to support other vendors in most cases."
Among the vendors in this market are AlgoSec, Athena Security, LogLogic, ManageEngine, Matasano Security, RedSeal Systems, Secure Passage, Skybox Security, and Tufin.
It remains to be seen, however, just how these tools will be integrated with other security management products, such as SIM/SIEM. And they add yet another management tool for enterprises to use and monitor. At least one vendor, LogLogic, integrates with SIEM tools. But it may not be as attractive for vendors to integrate as it is for customers: "I would hope that these tools evolve into full management suites that include SIM, device configuration, and threat modeling features. Vendors may be economically disincented to do so, however," Kindervag says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.