Long hours, non-stop pressure, problem solving 99% of the time-these are the typical words used to describe the day-to-day life of network engineers and firewall administrators. Making routine changes to the infrastructure should not be an additional source of stress, but with the additional roles of monitoring and troubleshooting often times it is. The reasons for this added stress are described in this paper along with an effective solution for addressing these problems using SolarWinds Orion Network Configuration Manager (NCM) and Athena FirePAC for firewall analysis.
Effective Solutions for Firewall Management
Using SolarWinds Orion Network Configuration Manager with Athena FirePAC
Abstract Long hours, non-stop pressure, problem solving 99% of the time-these are the typical words used to describe the day-to-day life of network engineers and firewall administrators. Making routine changes to the infrastructure should not be an additional source of stress, but with the additional roles of monitoring and troubleshooting often times it is. The reasons for this added stress are described in this paper along with an effective solution for addressing these problems using SolarWinds Orion Network Configuration Manager (NCM) and Athena FirePAC for firewall analysis. Introduction To effectively manage and protect the enterprise network assets being controlled by firewall devices, it is essential that administrators have access to the latest configurations and understand what they contain. Some of the activities firewall administrators do on a regular basis are: Allowing access ƒ Making a new business accessible to trading partners. ƒ Providing new users and new networks with access to internal/external IT assets. Adding services ƒ Adding a new trading partner is being added and providing access to some specific services ƒ Allowing a new service to a critical host Infrastructure changes ƒ Augmenting a business service additional servers ƒ Creating a new data center Maintaining service availability ƒ Making sure that planned changes do not effect service availability or open new security holes Blocking services ƒ Disallowing some services to reach a critical host ƒ Blocking dangerous services Blocking access ƒ Blocking attacks from external hosts These day-to-day activities are often interrupted by other tedious, manual and time consuming initiatives such as: . Tuning the firewalls to get optimum performance . Making sure that specific corporate policies defined by the Security officer are not violated
Page 1
ƒ Cleaning up the rules, as the rule size becomes immense and very difficult to manage ƒ Preparing for a firewall audit and responding to queries from a firewall auditor. ƒ Getting ready for a PCI audit! ƒ Migrating a firewall configuration to a different type of firewall Why is this so difficult? Enterprise networks with an already complex web of inter-connections will inevitably grow more complex because of the need to add rules in order to provide network access and protect against attacks. Ideally, rules would be added to the firewall in an organized manner. Furthermore, rules would be organized and enhanced to suit specific business purposes. Unfortunately, that is not reality. As firewall administrators transition, rules are added in an ad hoc manner and the collection of configurations across the network eventually becomes a disordered, chaotic mess. Manually understanding the complete effect of a rule that refers to object groups having multiple levels of membership hierarchy is not only painfully tedious, it is error prone. As the rule base increases, the number of possible combinations explode. For example, we have observed rule bases consisting of a total of 875 rules with 125 Deny rules using almost 4000 address objects/groups and 800 service objects/groups has hundreds of thousands of combinations. If there are many overlaps between the rules and if the rule base is sprinkled with many rules blocking dangerous services (which tends to be the case in open network environments where the desire for open policy has to be reconciled with a policy to protect certain critical assets), then it becomes virtually impossible to figure out the impact of each rule manually. Also, in most networked environments, firewalls from multiple vendors exist to provide security defense-in-depth. However, there is no unified interface for accessing and managing these firewalls across vendors; they are often managed from separate co... [download for more]
