Firewalls are a standard component of an organization's security strategy. As such, they should be properly configured to block unwanted activity and routinely tested to ensure they're operating as intended.

However, even a midsize organization may have a large number of firewalls at different points of the network, including the perimeter, various network segments, and branch and remote offices. Keeping track of configurations and changes is time-consuming, tedious, and often ignored.

That's a problem. For one, a misconfiguration can open unintended holes in the company's defenses. For another, requirements such as PCI section 1.1.6 compel organizations to routinely audit and test firewalls. Failure to meet these requirements can result in fines and other penalties.

A class of products exists to help staff assess and manage firewall configurations to ensure they meet corporate security policies. Some of these products also can help optimize configurations by identifying redundant or unsafe rules, and a few can provide visual maps of how traffic travels through the organization.

Organizations that invest in a firewall configuration management product can reduce the amount of time administrators spend trying to manage and audit configurations, meet compliance obligations, and be confident that their firewall policies are actually serving their intended purpose: to manage risk.

Note, however, these software products don't know the business justifications for all the rules. For instance, a rule that's only used once a quarter may be flagged by the firewall management software. However, this rule may be for the finance department's quarterly closeout activities and shouldn't be removed. These products are no substitute for administrators' knowledge and insight.

Check The Rules

Each product in this market starts with firewall rule auditing. This is a base capability; from here, some vendors add the ability to audit other network devices and build maps of communication pathways and threat visualization. As you add features, the price goes up.

Algosec's Firewall Analyzer lets administrators test potential configurations before making actual changes to a firewall rule set. This way, administrators can see how the changes might affect the security of the network without the risk of opening holes or disrupting business traffic.

Athena Security's FirePAC product lets administrators query all the rules in a firewall configuration to see which network services can reach a target IP address. It can also find duplicate or redundant rules.

RedSeal's Network Analyzer associates vulnerabilities from Qualys and other vulnerability scanners with systems or network segments, visually maps network paths, and combines the two data sets to provide insight into where attackers could travel after compromising a system. RedSeal analyzes not just firewall configurations but switches, routers, and load balancers to provide a visual map of the network.

FireMon from Secure Passage provides robust assessment capabilities. It separates duties between those assessing the firewalls and those with permissions to make changes. This is a useful feature as many organizations require a separate group, such as a network operations team, to actually make changes to network devices.

Skybox Security's Firewall Compliance Auditor supports a variety of firewalls out of the box. It can also work with unsupported firewalls through an API. This is useful if you have older or open source devices. Skybox also analyzes configurations from firewalls, routers, switches, and load balancers.

Tufin's Secure Track product analyzes firewall rule utilization. Tufin can show administrators which rules aren't used, which are highly used, and whether the configuration includes duplicate or overlapping rules. This feature lets firewall administrators optimize the firewall for better performance.

Tufin also presents its analysis in the format and conventions used by the firewall it's analyzing. For instance, if an administrator is reviewing policies on Check Point firewalls, the analysis is presented in a format that Check Point users will be comfortable with. This feature is available for a variety of firewall vendors.

FIREWALL MANAGEMENT OPTIONS
Vendor	Product	Installation	Supported Devices
Algosec	Firewall Analyzer	Software	Firewalls, routers
Athena Security	FirePAC	Software	Firewalls
RedSeal	Network Analyzer	Software or appliance	Firewalls, switches, routers, load balancers
Secure Passage	FireMon	Software or appliance	Firewalls, Cisco routers and switches
Skybox Security	Firewall Compliance Auditor	Software or appliance	Firewalls, routers and switches, load balancers
Tufin	Secure Track	Software, appliance or virtual appliance	Firewalls, routers and switches, load balancers