Review: Firewall operations management

Anyone running multiple firewalls in a complex, enterprise environment knows how difficult it can be to catch misconfigurations, avoid conflicting rules, identify vulnerabilities and meet auditing and compliance mandates.

Hungry for virtual server security

In this test, we look at five firewall operations management products: AlgoSec's Firewall Analyzer, RedSeal's Network Advisor and Vulnerability Advisor, Secure Passage's FireMon, Skybox's View Assure and View Secure and Tufin's SecureTrack. (See how we conducted our test.)

We found that these products perform similar core functions: they retrieve configuration files of firewalls (and other network devices), store the data and analyze it. They can look at change history, analyze existing rules, perform rules-based queries, re-order rules, and send out alerts, if policies are violated. They can also create automated compliance audit analysis and reports.

In addition, they can do modeling and wargame analysis based on a snapshot-in-time version of the real network. Plus, Algosec, RedSeal and Skybox can provide network diagrams and topology views of the underlying networks.

Overall, we were most impressed with RedSeal and Skybox, which cover all the basics, plus have the added benefits of being able to support multiple vendor vulnerability scanning products, which can calculate the network's risk scores and run vulnerability analyses on your whole network. However, we were impressed with all of the products.

Algosec's Firewall Analyzer had an intuitive interface and came with predefined standard audit and analysis reports. Installation was simple and the program offered a wizard for easy data collection.

Network Advisor and Vulnerability Advisor from RedSeal answered questions on how well the network is configured to protect from Internet threats. The programs generate vulnerability reports showing weaknesses in the network, and contain pre-configured compliance management reports in pdf and xml formats.

FireMon from Secure Passage performs real-time analysis on device configuration and stays current by using an automated analysis of compliance guidelines. There is a wizard to import device information en mass for large networks.

Skybox View Assure and Skybox View Secure can automate the collection schedule of configuration files by the hour, day, week, month or year. A built-in ticketing system supports access change tickets and policy violation tickets.

Quiz: Do you know security?

SecureTrack from Tufin has a What-If analysis feature to test changes to policies before they are implemented. Pre-defined analysis and reporting options are based on industry best practices.

AlgoSec Firewall Analyzer

We tested AlgoSec's Linux-based Firewall Analyzer software package, which consists of an analysis engine, collection engine, Web server, administrative GUI for local and remote administration, and user, policy storage, and syslog databases.

The analyzer engine runs queries on the data collected, based on predefined or custom rules, and then generates a detailed report. The Web server sends e-mail alerts to the firewall manager.

Installer kits are available for 32-bit Red Hat Enterprise Linux 4&5 and Centos 4&5. We installed it as a VMware appliance on our Dell 600SC server. Once the VMware player is loaded onto the Firewall Analyzer, it boots up, and logging in as root will bring up the Firewall Analyzer browser application. With the browser path set to https://hostaddress/, the Algosec management screen appears, and the management application client is launched by clicking on the login.

There are three methods for data collection – a wizard accessed from the Administration tab, semi-automated scripts provided by AlgoSec, or doing it manually, which is time consuming and could result in errors.

Once files are retrieved and stored, Firewall Analyzer runs a risk analysis based on PCI compliance, NIST, SANS Top 20 and vendor best practices. In addition, we found that we could create custom analysis reports. Selecting the Firewall Reports option displays charts and a connectivity diagram summarizing changes, findings, policy optimization, rule reordering, firewall information and a firewall connectivity diagram. Choosing the Risks option displays the findings with risk codes and details about the risk with suggestions and diagrams on how to deal with it.

We ran Algosec's Change History Report that detailed changes in rules on the firewall. On the bottom of the Change History dashboard we saw features to run interactive traffic queries, to compare the report with other reports, and to create a group report with other firewalls.

The Optimization Policy feature provides the Rules Cleanup and Reordering tools. The Cleanup Report lists any rules that need correction and their number of instances. Some rule types flagged in a Cleanup Report are labeled as unused, covered, redundant, disabled, and rules with a non-compliant name. A similar list is provided for Object Cleanup. The Rule Reordering Report gave us information on how to improve a rule and how much the rule can be improved. You can access a detailed report that tells you how to make the changes.

The AlgoSec Firewall Analyzer client application dashboard is well organized and multi-tiered, making it easy to find features and wizards. A useful wizard, Optimize Policy, could specifically identify rules to cleanup. There are pre-defined compliance audits such as PCI-DSS, ISO/IEC 27001, Sarbanes-Oxley and others. In addition, the compliance reports are well organized and available in PDF, HTML and XML. A drawback was the lack of integration with a vulnerability scanner, but AlgoSec is an excellent product for compliance auditing and compliance and rule optimization.

RedSeal Network Advisor and Vulnerability Advisor

With RedSeal Network Advisor 4.1 and Vulnerability Advisor 4.1, you can automate the process of analyzing, identifying, quantifying and mitigating risk and vulnerabilities in complex networks. Network Advisor uses plugins to import configuration files from each supported device. We liked that we could create a unified network topology map with a best practices analysis and solutions for remediation after we imported risk and vulnerability analyses.

We installed Red Seal software on our Dell server running Windows XP. Once the server is installed and started, the client is installed. After we logged in with the client application, we could access the server that had a feature-rich GUI dashboard.

Both Network Advisor and Vulnerability Advisor require importing router, switch and firewall configuration files to the database. The analytical engine processes information that includes host names, IP addresses, subnet masks and device interfaces. Analysis results appear in the form of graphical displays, reports, maps and charts detailing the current status and configuration of the network. Plugins are available for a wide range of products from Cisco, Check Point, Juniper and dozens of others.

After device configuration files are imported into the RedSeal Advisor, the files were checked against RedSeal's best practices database. We could drill down to locate the offending policy by double-clicking on a selected row. Any changes to hosts and devices could be analyzed and reported with the View Changes application.

We accomplished rule usage analysis and reordering by using RedSeal's Custom Best Practice Check feature. Using a regular expression tool, we could search the configuration files and use the available plugin associated with the device. Since configuration files can be edited, we performed what-if analysis to determine if changes to a rule would adversely affect the network.

RedSeal provides preconfigured compliance management analysis reports. We could add and schedule custom reports to run at specific times. We could analyze and report on how well our network was configured compared to best practice checks, and what assets were exposed to the Internet.

We liked how RedSeal's interface for running vulnerability analysis presents a topology map of the network, offering a graphical method for analyzing network vulnerabilities. Arrows point from the source of the threat to the assets at risk. The map states highly detailed information quantifying the risk, based on the Common Vulnerability Scoring System (CVSS). This is an important feature for saving time and preventing attacks on valuable assets. We were impressed with seeing the threats at a high level and drilling down into the report to explore the details. The topology map feature provides a similar method for running the pre-defined PCI-DSS analysis on targeted network segments. We could select a network segment and run an analysis report on it with one mouse click.

RedSeal integrates their product with several well known vulnerability scanners, such as Qualys, nCircle and McAfee, to provide vulnerability and risk metrics. We recommend this product for quantifying risk and vulnerabilities and to allocate resources based on asset value.

FireMon from Secure Passage

FireMon from Secure Passage manages firewalls by reporting on changes to the firewall policy, checking unused rules and reporting how traffic flows through rules. Compliance is safe guarded by the program's automated analysis of compliance guidelines such as Payment Card Industry (PCI) and National Security Agency (NSA).

The FireMon architecture includes an application server, data collector and a graphical user interface (GUI). The application server tracked the data collected, performed real-time analysis on transactions and device configuration and generated scheduled reports. The data collector is a Firemon application running on an appliance or PC to monitor and collect data from firewalls, switches and routers, and any other security devices on the network.

After installing the FireMon management client on Windows Vista, which was a quick process, we could log into the FireMon server with a user name, password, IP address and port number to bring up the management console.

FireMon offers a wizard for importing Check Point, Cisco, F5, Juniper, Nokia and McAfee/Secure Computing devices. Once the entries are made to the wizard, all the associated firewalls, management servers and log servers are auto-discovered and added automatically in sequence.

Firewall, router and switch rule policy management

FireMon provides several tools for analyzing firewall, router and switch rules and policies. We used the Firewall Traffic Flow Analysis tool to produce a report that zeros in on "Any" rules configured on firewalls in a large network. We could fine tune the firewall rules by reducing or eliminating overly permissive "Any" rules and large complicated ones.

We looked at some of the reports for rule policy management. We generated FireMon's Rule Recommendation Report that offers analyzing issues, such as a request for https traffic from source and destination addresses. The report showed us if a policy already existed for the requested access. At the bottom, the report listed a table of each policy tested and the source and destination routes involved. You can get the report in http, pdf and xml format.

We examined the Rule Comparison feature that analyzes the changes to a device's policy rule changes made over time. We saw color-coded icons for change, inserted, deleted and the same. You can revert back to a known good state using this report, which helps with institutional knowledge transfer.

Secure Passage has an interface that is well organized with features that are easy to navigate. We saw that some of the analysis and report wizards, such as the Rule Recommendation Report, displayed helpful examples showing how to set parameters. The FireMon traffic flow analysis feature is a handy tool for determining how to eliminate audit-triggering firewall ANY rules. We could print a logically organized report detailing the traffic flow from source to destination that revealed the ports and services actually used. A firewall administrator can create a more secure rule to eliminate the ANY rule using this report.

Although the FireMon Rule Comparison Analysis Report was confusing at first with its color-coded parameters that indicated changes, we feel that FireMon has excellent analysis features for optimizing rules and creating audit trails. This product should be considered a good firewall management solution for the enterprise environment.

Skybox View Assure and Skybox View Secure

The Skybox Risk View platform is comprised of two products: the Skybox Secure 4.5 for risk exposure and security profile analysis, and threat alert management, and Skybox Assure that manages the firewall and performs network compliance auditing. The platform application is scalable and is made of the Skybox View Server, Skybox View Collector, Skybox View Manager and Skybox View Dictionary. The dictionary is the database for definitions and profiles for vulnerabilities, threats, worms and network security policies.

Skybox uses vulnerability scanners and analysis to categorize, quantify and prioritize threats to the network. Using the Skybox Assure software suite, we could manage network policy validations, regulatory compliance audits and network device changes. With the automation features provided, we could run audit checks on thousands of firewall rule-bases.