• United States
Senior Editor, Network World

Swapping out firewalls easier said than done

May 08, 20065 mins
Access ControlCisco SystemsNetworking

Lack of migration tools makes switching vendors a months-long ordeal.

Moving from one brand of gateway firewall to another is proving to be a daunting task that corporate customers say takes six or more months because of a lack of industry standards and dearth of migration tools.

While shifting from one brand of any sort of network equipment to another can be trying, security experts say exchanging gateway firewalls is particularly challenging. The big problem is that vendors generally define access-control rules so differently that migrations need to be conducted largely on a manual basis.

“There really are no export/import utilities, and it’s that way across the industry,” says David Arbo, director of security at Oakland global shipping company APL, which has spent a year transitioning its dozen Check Point-based Nokia gateway firewalls to the Symantec Gateway Security (SGS) appliance.

APL, with about 10,000 network users, had to rewrite its access-control rules for them to work with the SGS.

To help with that transition, migration tools and services from third parties exist, though they can be pricey. Such tools from firewall vendors are sparse, but Cisco has something in the works and offers consulting.

The Smithsonian Institute, which maintains a private global network for about 9,000 users worldwide, pretty much made a firewall shift on its own.

“It’s taken us six to eight months to clean up the old rules,” says Leonard Butler, network security engineer, about swapping out three-decade-old Cisco PIX gateway firewalls for Check Point’s Next Generation firewalls. “That’s all I do.”

Converting the old rules base for its users, along with equipment such as Web servers, was “all manual,” Butler says. “It’s like they’re different species. It’s virtually impossible to compare a Cisco PIX and a Check Point NGS.”

Sirva, the Westmont, Ill., relocation-services company whose brands include the Allied and Global van lines, is transitioning older Check Point and Raptor firewalls to Cisco PIX as part of an effort to standardize on firewalls. (The Raptor firewall was acquired by Symantec six years ago when it bought Axent Technologies.). Setting up access-control rules for 10 firewalls to protect 3,500 network users has dragged on for a year, says Chuck Shmayel, vice president of infrastructure and security.

“There’s nothing I’m aware of to help with this migration,” Shmayel says. “There’s no way to just dump your access-control lists off one to another.”

Some firewall vendors acknowledge that network managers are mainly left to their own devices.

“Among the vendors, everyone approaches the rules base slightly differently,” says Dean Ocampo, product marketing manager at Check Point, which offers no tools to assist the migration process.

Some users try the script-based approach to convert old rules to new ones in the target firewall, but he warns buyers to beware. The conversion is a slow process, with six months being realistic, though using third-party modeling tools can help, Ocampo says.

Symantec has no tools to address firewall migration. But like other vendors, its executives say companies planning a migration should review the firewall policies they have in place anyway.

“It gives you the opportunity to redesign the perimeter and revisit those rules,” says Will Aguilar, senior technical manager.

Michael Jones, Cisco’s senior product manager for ASA and PIX firewalls, says the company’s Security Manager technology can be used to take a global policy and apply it to the full range of Cisco firewalls, including modules for switches and other gear. He says Cisco has a tool in field trials that would import policy-based rules from Check Point and other firewalls to Cisco’s.

Meanwhile, Cisco recommends that customers look into using products from Solsoft, one of the few vendors with tools that help in the firewall rules-conversion process.

Solsoft’s Policy Server can be used to manage multi-vendor firewall environments and includes a rules translation component, says Domenick Lionetti, vice president of sales at the company. But the tool, also offered in a scaled-back stand-alone version called Firewall Manager for small to midsize companies, doesn’t cover the full range of firewalls.

Lionetti also recommends customers carefully review the converted changes rather than simply exporting them to the target firewall. “It’s not a one-button process,” he notes.

Skybox Security is another third-party provider. It takes a different approach with its Assure product, which is designed as a “virtual staging environment” for analyzing and comparing network changes by running simulation tests for purposes of security. APL is among the companies that has turned to Skybox for assistance on a firewall migration.

“Skybox helped in comparison of one firewall to another,” APL’s Arbo says. But Skybox Assure is expensive, starting at $75,000.

While no one ever claimed firewall migration was easy, it’s grown considerably harder over the past three years, says Amit Patel, director of product marketing and security management at Cisco.

“It’s really the last three years when there were significant enhancements [to firewalls] by vendors,” Patel says. “It’s made migration more difficult.”

He recommends that network professionals document their firewall configurations and access rules as comprehensively as possible before migration. “It’s a common experience that there’s no external documentation. But for the few that have this, the move has been fairly graceful.”