Calum MacLeod Director of Sales, Benelux Tufin Technologies

I’ve just come back from a seminar organized by an IT security integrator and I have to say that the attendance was not as good as they had expected. And what made it all the more depressing to start with was that in the very next room there was a lingerie demonstration and they were queuing out the door to get in. I was amazed at the number of men that had registered for the sessions, and I have to admit that the folks giving the demos were certainly more pleasing to the eye than the bunch of IT geeks I had to sit and listen to!

And then I’m thinking – IT Security used to be “sexy” - what’s happened?

So we’re into a presentation and demo of automatic policy generation for firewalls and I’m thinking “I wish I was next door” but then I’m slowly being seduced by what I’m seeing. Maybe it’s an age thing but I found myself thinking less about the demos next door and started to be drawn into a description about how the firewall administrator was able in a few minutes to carry out forensics on their firewalls.

Suddenly instead of spending weeks or months pouring over firewall logs to find out what was going on he was talking about how they could spot unknown mail servers in the organization, outbound access through non-standard ports, who was accessing which HTTPS and HTTP servers on the internet, and even access to non-corporate mail servers!

Firewall policy management is normally an organizational nightmare. Imagine that an organization with ten to fifteen firewalls could spend anything up to six months trying to get to the bottom of what is going on and even then I am reliably informed by an organization that they tried for six months and hired expensive firewall specialists to do it, only to end up with very poor results. Now imagine achieving the same results in a matter of minutes. So how do they do it? Well apparently it is something called “Permissive Rule Analysis “technology. This breaks down very general  rules until they accurately and exclusively  represent the actual traffic. Now I can’t see it being plastered on billboards to keep bored male commuters smiling on the way home, and you’re not going to buy it for your favourite lady as a Christmas present but it definitely got my pulse rushing.

Now automatic firewall policy generation doesn’t look “sexy”. It’s not like you have this amazing GUI, or some brightly coloured box that you can stick in your IT rack and invite your management to come and gaze fondly at their latest expensive gadget. This, like so many other great developments in IT security, is amazing because of what it does in the background. At the seminar the question was asked, “Why would you consider not changing your firewall vendor?” and the universal response was, “We can’t convert our rule bases”.

As every security professional knows, installing a firewall is easier said than done. Creating an accurate firewall policy requires administrators to painstakingly go through a tedious, labor intensive and inefficient log inspection process to try to identify legitimate business traffic and then create a rule set that will meet both security and business objectives. Given the complexity of network traffic today, this approach is never complete, and the only other alternative is deployment of an overly permissive, and ultimately ineffective, firewall policy that doesn’t actually do anything useful.

Well folks, “Permissive Rule Analysis” technology has just broken down one of the biggest barriers for users who want to change, and provides auditors and security officers with the ability to quickly and accurately analyze who is doing what. Suddenly the employee who spends all day browsing websites is exposed; the contractor who is sending emails to an unknown email server is identified. Every breach of policy relating to inbound/outbound traffic is identified. Administrators can remove Any/All parameters from rules and ensure that only essential services and destinations are accessible.

You know what – IT Security is still “sexy” although it still has some way to go to compete with next door’s “GUI”.