Skip Links

Network World

Alan Shimel

Firewall Configurations Can Be Hard To Manage, Sounds Like A Job For Open Source

With PCI and other compliance regulations demanding it, keeping and maintaining firewall rules in good order can be a tall task, but this open source tool will have you "in like Flint"

By Alan Shimel on Tue, 03/16/10 - 1:13am.

For many people network security starts and stops with firewalls. The foundational technology of perimeter based security, firewalls have grown more complex and sophisticated over the years. Today keeping your firewall rule set tuned and managing complex firewall configurations is a job often best left to experts. A new open source tool, Flint offers help though.

Flint was developed by Matasano Security, makers of the Playbook enterprise firewall management tool. Over the years as some firewall brands have been discontinued (Cisco PIX for example) and others have come to market (Palo Alto Networks for instance), many organizations find themselves having to manage multiple brands and versions of firewalls. This has led to a new class of security management applications that help with complex firewall management.

Besides Matasano's Playbook, other players in this market are an Israeli based company, Tufin Technology and another company named Secure Passage, makers of the Firemon product. Secure Passage has an interesting community play that I will discuss in a moment, but first Flint.

This first version of Flint offers support for Cisco firewalls only. According to Matasano what Flint does is:

CHECK RULES BEFORE DEPLOYING THEM Flint prevents engineers from making costly mistakes. It takes just moments for Flint to evaluate a ruleset and spot errors. Your team can have it up and running in minutes. Flint is low-drag, no drama.

CLEAN UP RUSTY RULESETS Flint does the hard work of scouring firewall rules for useless crud, saving you time and allowing your team to focus on engineering problems that really matter. Flint can spot redundant and contradictory rules, and Flint makes it easier to spot business-level problems.

COMPREHEND COMPLEX CONFIGURATIONS Flint doesn't just check firewalls for problems. It also fully understands the meanings of configuration lines, and breaks them down for you by service or by interface, so you can see at a glance what any given firewall is doing.

Flint is written in Ruby on Rails and is available to run in a virtual machine along with the source code. You can even rebrand and extend Flint to resell if you would like. Of course in conjunction with Matasano's Playbook you may get more out of it, but Flint still provides lots of value as a stand alone tool.

As I mentioned earlier another company in this space is Secure Passage. SP was spun out from Fishnet Security around the Firemon product that was developed to help Fishnet manage their customers large firewall deployments. It has a ton of functionality and manages across most of the major firewall brands and some other security devices.

Though not an open source tool. Firemon does have an interesting open source like community play. Firemon has open APIs that have allowed both Secure Passage and a number of other developers and customers to write very useful extensions for Firemon.

Secure Passage has now launched their Nexus Firemon community where these extensions are made available for free to other users. Anyone is free to contribute and use the extensions available on Nexus. This is all made possible by the use of open APIs and closely follows what we see in successful open source communities.

Firewall management can be an intimidating and messy exercise, but with open source tools like Flint and open APIs like those in Firemon, you can leverage the open source model to do a better job of it.

Please visit the Google Subnet home page for more news, blogs and podcasts. Sign up for the weekly Google newsletter.
More blog posts from Alan Shimel:

Subscribe to all Google Subnet bloggers or Follow Google Subnet on Twitter

Check out Alan Shimel's Podcast and other blogs, too.

About Open Source Fact and Fiction

As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.

Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast.

Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.

Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.

Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.

 

Most Discussed Posts

On The Web
Twitter
Facebook
Blog Roll
Podcast
http://www.securityexe.com
Personal blog
http://www.ashimmy.com
Work blog
http:///www.securityexe.com
Sports Blog
http://bleacherreport.com/users/205594-alan-shimel