Friday, May 1, 2009

Firewalls, Firewalls Everywhere

As you may have noticed - people have stopped talking about firewalls.  Of course, it could be because they've effectively become a commodity item and there aren't many differences in them anymore... at least none that make you go "Wow, that's cool!" -that is until one day you look and you have several hundred of them because they've multiplied like rabbits.

The problem with firewalls is that there aren't just a few in most environments.  Just about every company I've ever worked for started out with 1 or two firewalls at the perimeter and over time that number grew proportionately to the company (we hoped) until at one point there were 2-3 firewall guys managing upwards of 400 firewalls... manually.  If you can't guess that made for one hell of a management nightmare, even if you were using something as pretty as a CheckPoint's Provider-1 infrastructure. So now there's this big problem - because even if you can comprehend what's going on with all these different firewalls the complexity of it all will make you mad.

The problem is this... today's enterprises aren't just simple one-point entry into their network... there are often dozens and potentially hundreds if not thousands of ways into a company's network through which the bad things get in, and make a mess of things.  This is where I think this tool I was introduced to will help, and thus I share it with you.

Some time back I was approached by folks from Secure Passage, to ask me what I thought of their product, Firemon.  I have to say that I was quite skeptical (as I typically am) when it comes to reviewing a product that deals with technology that should have been figure out last decade... but I gave it a shot.  I have to say, I was quite impressed by all the problems Firemon was solving that I honestly didn't even realize there were solutions to.  It's odd how we take complexity for granted and simple tell ourselves we just need to deal with it as part of the technological sprawl that plagues us all.

Work with me here... wouldn't it be just awesome if you could have one interface to tell you if one of your off-shore firewall admins just accidentally created a rule that's about to be pushed out that will wreak havok on your network... and page you to let you know?  Wouldn't it also rock to be able to pull in every firewall rule you have, across every firewall you have... and see where you have overlaps, redundancies and rules that you aren't even using anymore?  Yes, Firemon does that... and many, many things more.

Of course, I didn't take their word for it... and I quite think I may have annoyed them when I kept asking questions and insisting on seeing an actual demo to see the thing working... granted I wasn't going to be buying anything so doing a full-scale presentation and demo to me may have been a waste of their time but I'm glad they took it.  I'm convinced this is one of the better tools out there to manage the firewalls that multiply like bunnies in your environments.  Before I start to sound too much like I'm trying to sell you on these guys... I'll simply urge you to check it out for yourself if this even remotely sounds like something you need help with in your environment.  As for me, I wish I had found these guys about 5 years ago when we have 375+ firewalls (mostly CheckPoint, Cisco and NetScreens) across a massive Class-B network connecting partners, vendors, customers, and our network endpoints... because I can promise that it would have saved me and my fellow engineers (you know who you are) a lot of late nights.

They have a screencast set up and readily available ... Click here to check it out.

[Disclaimer: I'm not getting paid to write this, nor do I have *any* stake in Secure Passage]


Anonymous said...

If you think Secure Passage is cool, wait till you see Tufin. We looked at both, and Tufin was more stable and had better reports.

Rafal aka "Raf" said...

@Anonymous: I know Mike Hamelin ("HackerJoe") over at Tufin... looks like a promising product but haven't had a chance to see it in action yet. If you work for them let me know and I'll be happy to review it too.