Firewall Configurations Can Be Hard To Manage, Sounds Like A Job For Open Source

With PCI and other compliance regulations demanding it, keeping and maintaining firewall rules in good order can be a tall task, but this open source tool will have you "in like Flint"

For many people network security starts and stops with firewalls. The foundational technology of perimeter based security, firewalls have grown more complex and sophisticated over the years. Today keeping your firewall rule set tuned and managing complex firewall configurations is a job often best left to experts. A new open source tool, Flint offers help though.

Flint was developed by Matasano Security, makers of the Playbook enterprise firewall management tool. Over the years as some firewall brands have been discontinued (Cisco PIX for example) and others have come to market (Palo Alto Networks for instance), many organizations find themselves having to manage multiple brands and versions of firewalls. This has led to a new class of security management applications that help with complex firewall management.

Besides Matasano's Playbook, other players in this market are an Israeli based company, Tufin Technology and another company named Secure Passage, makers of the Firemon product. Secure Passage has an interesting community play that I will discuss in a moment, but first Flint.

This first version of Flint offers support for Cisco firewalls only. According to Matasano what Flint does is:

CHECK RULES BEFORE DEPLOYING THEM Flint prevents engineers from making costly mistakes. It takes just moments for Flint to evaluate a ruleset and spot errors. Your team can have it up and running in minutes. Flint is low-drag, no drama.

CLEAN UP RUSTY RULESETS Flint does the hard work of scouring firewall rules for useless crud, saving you time and allowing your team to focus on engineering problems that really matter. Flint can spot redundant and contradictory rules, and Flint makes it easier to spot business-level problems.

COMPREHEND COMPLEX CONFIGURATIONS Flint doesn't just check firewalls for problems. It also fully understands the meanings of configuration lines, and breaks them down for you by service or by interface, so you can see at a glance what any given firewall is doing.

Flint is written in Ruby on Rails and is available to run in a virtual machine along with the source code. You can even rebrand and extend Flint to resell if you would like. Of course in conjunction with Matasano's Playbook you may get more out of it, but Flint still provides lots of value as a stand alone tool.

As I mentioned earlier another company in this space is Secure Passage. SP was spun out from Fishnet Security around the Firemon product that was developed to help Fishnet manage their customers large firewall deployments. It has a ton of functionality and manages across most of the major firewall brands and some other security devices.

Though not an open source tool. Firemon does have an interesting open source like community play. Firemon has open APIs that have allowed both Secure Passage and a number of other developers and customers to write very useful extensions for Firemon.

Secure Passage has now launched their Nexus Firemon community where these extensions are made available for free to other users. Anyone is free to contribute and use the extensions available on Nexus. This is all made possible by the use of open APIs and closely follows what we see in successful open source communities.

Firewall management can be an intimidating and messy exercise, but with open source tools like Flint and open APIs like those in Firemon, you can leverage the open source model to do a better job of it.

Please visit the Google Subnet home page for more news, blogs and podcasts. Sign up for the weekly Google newsletter.

More blog posts from Alan Shimel:

Subscribe to all Google Subnet bloggers or Follow Google Subnet on Twitter

Check out Alan Shimel's Podcast and other blogs, too.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

IT Salary Survey: The results are in