Matasano Preps 'Firewall Mixer'

Firm's first product features simplified rules management for large firewall installations

If you think the firewall is passé, think again: Consulting and research firm Matasano Security has developed its first product and it's for the firewall -- a next-generation firewall management tool, Dark Reading has learned.

The new Clockwork software, currently in beta, provides centralized and easier-to-understand control and change management for multiple vendors' firewalls. Firewalls are typically manually configured and managed separately. "The problem enterprises have is that they have 200 firewalls from multiple vendors and no control or change management for what the rules are, let alone any understanding of what all those rules mean and why they're there," says Thomas Ptacek, principal and founder of Matasano.

Clockwork simplifies this by grabbing all the rules from an organization's firewalls and mixing and matching them as needed. "It lets you mix them, set up global rules, search them, and make changes to multiple firewalls simultaneously, with one click," he says. "We call it a firewall mixer."

The rules are then "burnt" back onto the firewalls from a central Web console, replacing the manual process of logging onto 200 separate command line interfaces, he says.

"This is the way all firewalls will be managed in the future," Ptacek says.

Clockwork tracks all firewall changes, so you can "roll back" one or all firewalls to a previous configuration if something gets misconfigured, for instance. "It's a time machine for firewall rules."

So if a network or security manager mistypes a rule and inadvertently breaks something in the network, Clockwork lets you restore the firewalls to a previously healthy state while you troubleshoot the problem, Ptacek says.

Why focus on such a mature security device as the firewall? Ptacek maintains that firewalls are still one of the most effective network security devices around. "If you look at the stuff you need, it's static defenses. Firewalls have worked," he says. "The stuff that reacts to new threats has been abysmal."

Intrusion prevention systems (IPS), he says, are a prime example of that: "An IPS has not ever helped save anybody," but a firewall has. (See What Use Is an IPS? and IDS in Mid-Morph.)

Clockwork is a Ruby on Rails application and also comes with links to Wiki pages that drill down on firewall rules. "You can click on the rules and see what application they're talking about. They're searchable so you can give me a hostname or an IP address and I can show you every firewall that references them... And I can report on them and show you what risks your current rulesets expose."

Matasano plans to distribute the app as a VMWare image of a hardened Linux-based system, Ptacek says. "So there's almost no installation. You just plug it into your VMWare server." Pricing has not yet been set for Clockwork.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Matasano Security LLC
  • Recommended Reading: