"There is definitely an over-reluctance to changing firewall vendors due to fear of complexity of translating rules from one product to another," says John Pescatore, vice president and research fellow with Gartner. "Actually, a lot of the fear is just of touching the firewall policy at all, as many have added rules over five- to 10 years, and [organizations] aren't actually even sure what policy is running anymore."
Pescatore says Gartner's clients are typically more afraid of disrupting business operations than of inadvertently introducing new security holes with the new policies they implement. "But we tell them they should be worried: A lot of firewall policies have rules that actually never get triggered and lots of exceptions baked in that no one remembers are there," he says.
Moving from one vendor's firewall to another involves major hurdles. First, different vendors run different firewall operating systems, so a policy written for one vendor may not translate to another. A rule from one vendor's firewall may not even apply to another one, and often the migration process requires starting all over from scratch, says Chris Odell, information security engineer for managed security services provider Solutionary, which performs such tasks for its services customers.
"First, you have to figure out their firewall and evaluate all of the rules to make sure those rules are even applicable to the new firewall," Odell says. "Oftentimes you do reviews and find tons of stuff that doesn't need to be in there -- like a lot of ACLs [access control lists] that are not applied to any of the interfaces," so it makes sense to clean up the old set of rules before rebuilding new ones for a new router, he says.
Even as security vendors try to lure new customers with incentives in this tight economy, it's often just too costly resource-wise for an enterprise itself to perform all of the manual configuration, testing, and other steps involved in changing firewall vendors, experts say.
A combination of tougher PCI enforcement for auditors and organizations' need for expanding firewall power while simplifying the process of configuring firewalls has driven firewall management vendors to offer better tools to help organizations with the painstaking process of rebuilding firewall rules from one platform to another.
Now that PCI has cracked down and is auditing the auditors, auditors can no longer just ask if a company is hardening its firewall or has set up a DMZ, says Courtlend Little, a service and solutions architect for Solutionary. "How does an auditor verify that? It's impossible to know if [an organization] is compliant unless they have a tool," he says.
Vendors like AlgoSec, RedSeal, SecurePassage, and Tufin offer tools that assist in the migration from one firewall technology to another, and other vendors are readying new features for their products to help ease the pain of changing firewall vendors. Athena Security on Monday will release a plug-in for its FirePAC firewall management tool that helps preserve existing firewall policies from one vendor's platform to another, and verifies them. Also in May, Matasano Security will add a free request and approval workflow function to its Playbook firewall management tool that vets policy changes before they are applied to a firewall, and provides an audit trail of the changes so that when a company ports to a new firewall, it can determine the original requirement for the rule.
"It would help them understand what the original requirement for the rule was so they can ensure they fulfill it when they port it over, and will help them remove rules they don't really need anymore," says Max Caceres, director of research and development for Matasano.
Athena Security's new plug-in for its FirePAC product assesses and validates the conversion of firewall rules before they go operational, identifying any gaps or problems and offering solutions. The new tool can drill down to how Network Address Translation works with the firewall ACLs, for instance, says Anjali Gurnani, vice president of business development for Athena Security.
"It compares the original version [of the firewall] to the target version to identify any gaps that are high priority," Gurnani says. Firewall vendors Cisco, Check Point, and Juniper all have some policy migration tools, but they don't provide a way to validate changes, she says. "None look at the comprehensive behavior of the firewall and all of the policies," she says.
Gartner's Pescatore says it helps to get help from the firewall vendors when changing firewall brands. "We tell Gartner clients to try to negotiate free policy-conversion service into any firewall deal when they are switching," Gartner's Pescatore says. "And conversion complexity should only be a major impediment when they have large numbers -- more than a dozen or so -- of different firewall policies out there."
Firewall migration tools today that help with rules/policy conversion aren't foolproof, either, says Arif Faiz, director of network security for FishNet Security, an MSSP. "There is a lot of manual oversight involved, and the firewall features such as AV [antivirus] and content filtering of one vendor might not be fully supported by the other," Faiz says. That's where the manual process comes in.
FishNet's professional services group runs FirePAC in its client engagements, and is looking to the new plug-in -- which is priced at $1,000 per firewall for licensed FirePAC users -- to help them analyze firewall rule, and to prevent misconfiguration of firewalls. "The firewall security policy can be checked across multiple vendors [and] allows for 'before' and 'after' health checks," Faiz says.
Faiz says one of the biggest problems with firewall migration, though, is that many organizations just don't regularly audit their firewalls. "There is no process built in the vendor migration tools to account for unused objects/resources and rules," he says. "It is imperative to clean up the rulebase before migration."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.