Michael Hamelin Chief Security Architect Tufin Technologies

Without exception, every company that is connected to the Cloud relies on firewalls for security. It is a fundamental tenet of network security to control access to users and application resources to protect the business.

It was not that long ago that firewalls were fairly straightforward, supplying network address translation features, terminating VPN sessions, and making allow/block decisions on access requests. Security teams could manage these early firewalls, supporting basic network configurations, with vendor-supplied tools.

In fact, it is still common to find security teams managing configuration rules for many deployed network firewall via simple text files. However, the accelerated adoption of cloud-based services such as Salesforce.com or Facebook, advances in next generation firewall technology, pressures to extend the life of existing firewalls, and requirements for tighter compliance with regulatory mandates has challenged even the best security teams.

Managing large firewall rule sets manually is a highly error-prone approach in today’s climate of cloud-based applications, data center virtualization, and compliance requirements.  By applying security automation where it can deliver dramatic time and cost savings, security managers can not only pump greater value out of their budgets, they also gain a greater level of visibility and control over a much more porous and malleable perimeter.

From a security operations, compliance and risk management perspective, there are some compelling reasons to consider automating the management of firewall policies.

1) Operations: The application agility provided by virtualization technology accelerates the rate of change in firewall rules.  Applications that used to take weeks to provision in a physical environment are now up and running on a virtual server in a matter of minutes. In addition, firewalls themselves are being virtualized with security having to manage multiple rule sets across firewall virtual machines. The complexity in network security due to applications launching at the speed of business underscores the needs for automated checking and auditing of changes to firewall rules.

2) Risk management: Cloud-based services require application awareness in firewall rules.  Many organizations use cloud-based services such as Facebook, Google, LinkedIn or Salesforce for important business. These services are not simple sites - they may deliver a mix of hundreds of personal-use and business applications. Most organizations cannot block or restrict traffic for the entire site, preferring to apply a more granular security policy to applications and users. Security teams are now bringing in next generation firewalls to meet the demand for application-level network security.   Manual management of much more granular polices that include application and user intelligence is simply not scalable.

3) Compliance: Firewall management is now maturing as standard network security operations. A large part of compliance is about managing the existing infrastructure, with change controls, documented audit trails, and segregation of un-authorized users from regulated applications. Meeting compliance expectations without increasing administrative burdens is a large requirement for utilizing cloud-based services and virtualized applications.

Security operations teams have learned to adjust to the fact that new and improved technologies introduced into the environment bring new and improved challenges – in the case of security, they are almost always a function of risk and complexity (in other words, more of both.)  This is why automation matters.  Thankfully, the industry is keeping pace, so that from a management perspective, the automation exists to account for the increased complexity that is introduced by game changing technologies such as virtualization.  Here are a few ways you can leverage automation to maintain visibility and control over network security operations in virtual environments:

• Automate checking of suggested firewall rule changes to ensure the network does not slip out of compliance with regulatory and/or corporate security requirements. This is especially true in virtual environments as applications and desktops appear on servers requiring resources that are often launched after the firewall rules are updated (i.e. it may not be obvious that the rule change breaks security policy until after the app executes).

• Automate job ticket workflow to ensure that security, server, and network teams remain in sync as firewall rules change. All teams within the IT organization can audit and work from the same workflow, eliminating redundant systems and extra auditing efforts.   This is useful in any network environment, but when dealing with virtual environments there may be additional stakeholders that need to be incorporated into the rule change process – the applications team, or a Cloud or hosted IT services provider.   The ability to create change processes that keep IT teams in sync is critical to establishing and maintaining a high performing IT organization. 

• Automate coordination of firewall rules with switches and routers to ensure performance and security coverage.  Firewalls are an essential element in the network fabric, and must be integrated with network operations. Automation removes errors and inefficiencies or managing related tasks across the network. 

• Automating network compliance auditing not only saves time and money, it’s smart business.  As organizations move data and processing to the cloud, they are still accountable to compliance mandates for controlled access, application segregation, and critical data protection. Automation allows businesses more flexibility in adapting virtualization and cloud solutions.

Some might argue that the more ‘disruptive’ and hyped any given enterprise technology is, the bigger the security headache.  However, the pace of security automation is, for the most part, keeping up with the rate of change to enterprise environments. Firewall management software provides the essential capability to secure the business while allowing IT to evolve the firewall infrastructure, embrace virtualization and cloud- based services, satisfy compliance mandates, and automate tasks to reduce operating costs.  It might not be a silver bullet, but when it comes to managing the extra complexity that comes with virtualized environments, it can be a silver lining.