- If you answered yes then I know what your biggest problem is... without even talking to you - you have too many network devices to manage. Period, end of story.
It's crazy but the firewalls we've come to rely on to keep the bad guys out (and I say that mostly in gest... ahem, RSnake) have become our undoing. While firewalls are clearly not going to stop layer 7 hacks, or even some of the more advanced hackers they do accomplish the base purpose of reducing, at least to some visible degree, our company's exposed attack surface. Not counting web sites, our firewalls can keep a good amount of nastiness on the outside, but not if they aren't managed properly.
I recently worked for a company that had 250+ firewalls in a single business unit, mostly CheckPoint and Cisco Pix... managed either out of one of a handful of Provider-1 consoles, or remotely via telnet (then SSH, as available). That was one of those nightmares I never thought I'd wake up from... so you can probably see why I'm so interested, at least personally, in tools that aim to simplify the life of the firewall admins out there. If you're in this group and you manage more firewalls than you can honestly say you can handle sanely... read on, this one's especially for you.
Recently I wrote about a company that had some software which managed disparate firewalls all over the damn place, and alerted you when things went wrong... or when changes showed up that could cause you issues. I've since found another one that gets the job done... and how. The folks over at Tufin were kind enough to give me a full demo and a demo image to play with and I have to say I've been genuinely impressed.
It's crazy that products like this have to exist - but once you've got one of these puppies in your company's infrastructure you'll wonder how life ever went on without 'em. Think about being able to virtually test a firewall rule across every firewall you have. Will adding a web server object at 192.168.1.10 on firweall 99 conflict with a rule somewhere else on your network? It shouldn't ... but then again who the hell knows! With all the outsourcing, off-shoring, layoffs and restructuring going on these days can you afford to "be pretty sure" that you have a good, solid, and non-overlapping ruleset? Are your firewall rules as good as Swiss cheese, or are you actually able to hold some water?
Tufin's approach is interesting because it just seems to work... natively. With a central manager to pull data from all your firewalls and the ability to really "see" what's going on - I think this is one of those products you shouldn't go too long without... like socks or deodorant.
After playing with it, seeing the demo, and thinking some here are some of the things that caught my attention... and more importantly - why they caught my attention:
- Comprehensive enterprise view: What I mean is that now you have the ability to see every firewall object, policy, and rule in your entire enterprise across your CheckPoints, Ciscos, Netscreen/Junipers and whatever the heck else you have without having to open a dozen different consoles, GUIs, or neanderthally SSH shells to check it out... where was this when I was jockeying firewalls back in '98/'99... hrmm....
- Configuration change-management: Again, how did people live before this stuff was sold? If you're in the type of environment where 10 different teams make 100+ firewall changes a week (or worse...) then you're desperate for a way to see who made a change, when, and what it was... and if it's something that matches a specific no-no you'd want to be paged so you can administer your own brand of justice in the parking lot. It's more than just accountability - it's like having a link between every firewall rule-set in the company... and being able to see what's changed in a near-real-time way!
- Policy optimization: How many rules do you have... total? Hundreds? Thousands? What if you could (close your eyes and picture this) have a tool that ran across all your firewalls and figured out for you which ones don't ever get used anymore so you could throw 'em out? If someone asks you today if rule #124 on firewall 9A is pushing traffic - what do you say? Well, instead of burning through days and weeks of log files looking for that rule why not let Tufin do the work for you? It'll tear through your rule-sets for you and tell you which ones generate tons of traffic... and which ones are never used. Genius!
- Impact (Risk) analysis and management: Before you put in a rule that may potentially cause a catastrophic failure (elsewhere in the network) wouldn't it be great if you could do a simulated push to see what other rules the one you're putting in would affect? This is particularly important if you're babysitting outsourced firewall engineers at 3am while they go through and implement rules you had queued up for your change window. Will that rule cause havok? Forget about worrying... just let the Tufin box tell you what the impact will be - and whether you need to stay up or go get some much-needed z's
- Audit and compliance: Sadly, today's world really focuses on compliance and audit. You need to show pretty reports that you're auditing your rule-sets and you comply with what-ever the policy du jour is... but you still need some hours left in the day to get actual work which will provide actual security to the company done. Again, these guys have a great audit engine that can do the work for you - so you can go back to black-box scanning your web apps and smashing your head on the desk becuse the developers didn't listen to you.
- Vendor over-hype factor: 3/5
- Pretty good, vendor hits all the big buzz-phrases... but don't they all?
- Usability: 4/5
- Not simple, and some GUI and workflow quirks but you'll get over it once you start using the product and realize how necessary it is
- Utility: 4/5
- Great tool, they're working on support for a wide-range of devices and are willing to add what you use if there is sufficient push
- Product Sexiness: 3/5
- Hey, it's firewall managment software...
- Worth Your Time: 4/5
- Simply put, yes. If you manage a large contingent of firewalls - you should own this (or find one of its competitors)
Bottom line: This is a really cool product set with perhaps one of the most visible ROI models I've ever seen. Your ROI will be calculated in how much sanity, sleep, and confidence in your infrastructure you gain. Your upper-management will love that you've decreased fires, emergencies, and unscheduled downtime too... but then again that's all in a day's work.