Turn on any "techy" TV show or movie these days and you are bound to see some reference to hackers trying to break into corporate or government networks by breaching firewalls. While many of the scenarios are unrealistic as they are portrayed onscreen, the real-life battle between security vendors and hackers does go on. In their effort to defeat the "black hats" firewall and security, vendors have dramatically increased the complexity of security devices and have started to incorporate firewall technology into all sorts of network infrastructure devices, like switches, routers, UC systems, etc.Unfortunately, now that more devices are "responsible" for network security, that means more devices are potential targets for attack and therefore must be managed with the same higher level of attention that traditional firewalls receive. These systems must be scrutinized for their security postures, adherence to corporate governance policies, and have known vulnerabilities patched rapidly. Simple configuration errors may create holes in firewalls, VPN tunneling errors could expose data to the Internet, and inconsistent settings can cause issues with a regulatory framework.
In modern multi-vendor networks, administrators face many challenges in properly managing firewall configurations, ensuring compliance to regulations, carrying out changes, and minimizing network downtime caused by human error.
This blog looks at the need for an automated NCCM solution to address these concerns, and the main features that one should look for in an NCCM solution.
Configuration management involves identifying the configuration of a firewall system at given points in time, systematically controlling changes to the configuration, and maintaining the integrity and traceability of the configuration throughout the lifecycle.
It also involves the testing of the existing configuration vs known-good policies while simultaneously looking for any configuration that might expose the firewall to security or compliance risk.
Configuration management in this context can be summarized as:
- Device hardware and software inventory collection
- Device software management
- Device configuration collection, backup, viewing, archiving, and comparison
- Device configuration generation and "push"
- Device configuration policy checking
- Restore firewall configuration back to a recent good working state
- Interwork with fault and performance management to monitor and ensure availability and performance of the firewall platform installations
Device hardware and software inventory collectionThe first step in being able to manage any system is to have accurate information about that device. Therefore, any good firewall NCCM system needs to also contain related information from a CMDB, e.g. containing up to date inventory information. It should (at minimum) contain a hardware (chassis, daughter cards, memory, etc) and software (OS, Firmware) information that is regularly updated. Once a week at minimum – once a day is preferred, and changes should be tracked even short-term.
Device software management
This refers to the ability to push software updates (patch) the OS/Firmware of the firewall. A best-practice ability is to both patch on a regular basis – we have seen larger enterprises standardly push two updates per year – as well as to have the capability to push emergency bug fix/vulnerability updates on an ad-hoc basis. The NCCM system needs to be able to perform OS and hardware checks such as software check-sums, available memory, license compatibility, and so forth as part of the update process.
One of the most basic tasks of any firewall NCCM solution is to backup the running configuration of the firewall.
It should be able to store the backup for any length of time the customer requires as well as any number of historically stored configurations. These historical backups are critical when there is a failure or misconfiguration as they can be used to restore the firewall to a known-good state. They are also very valuable as a troubleshooting tool because you can run a "diff" comparison between one or more configs to look for changes that may have impacted service.
Device configuration generation and "push"One of the most common activities that cause network downtime is simple human error when making an "on the fly" configuration change.
Manually performing rule additions, changes, deletion is not only tedious, and highly error-prone. As the rules increase, the number of possible rule combinations grows rapidly and it becomes virtually impossible to manually figure out the impact of each rule which is added or changed.
In most networked environments, firewalls from multiple vendors exist concurrently. Even though firewalls from different vendors serve a similar purpose, their design, architecture, and management can differ greatly.
This lack of configuration consistency can quickly lead to problems when a new policy must be deployed to a large number of heterogeneous firewall systems simultaneously. Having a central NCCM system with the ability to abstract and thus automate the complex rule creation syntax across vendor devices can greatly ease the burden of configuration roll outs.
Device configuration policy checkingCorporate governance policies such as Sarbanes Oxley (SOX), NERC, PCI-DSS, HIPAA, MiFID II, SAS 70, Basel II, and GDPR have all been introduced to ensure levels of security and integrity are maintained for company financial information and any stored personal details of customers.
However, translating these policies into an actionable firewall configuration can be a huge challenge. For example, the PCI-DSS policy states that the organization will "install and maintain a firewall configuration to protect cardholder data". However, it does not specify what firewall rules to deploy or what type of firewall to use and so forth.
Standards are used to define the policy goals, but they must be turned into a usable configuration which supports the policy standards.
Policy compliance then verifies that policies are implemented and remain operational.
So, compliance is really a continuing process of configuration and verification. A good NCCM tool can help with both aspects of the job. Providing a mechanism to turn the corporate policy or rule into an electronic policy that can be configured on a firewall. The NCCM system must then be able to periodically test the running firewalls to determine if they still adhere to the originally configured policies and no unwanted changes have been introduced.
If you oversee managing firewalls or security devices, then network configuration management may well be worth investigating. Network configuration management provides the tools to give you an audit trail of changes to your firewalls. It can also help with enforcing corporate or regulatory policies much easier. Lack of efficient and effective device configuration management affects the business continuity of enterprises. Manual configurations of devices eat away the time and efforts of the skilled administrators, who are struggling to keep track of configuration changes and as networks grow larger and larger.
Automated NCCM solutions enable network administrators to take total control of the entire life-cycle of firewall configuration management. Changing configurations, managing changes, ensuring compliance and security are all automated. These solutions improve efficiency, enhance productivity, help save time, cost, and resources, and minimize human errors and network downtime.
With a good NCCM solution in place, enterprises can make best use of their firewall infrastructure. They can achieve increased network up-time and reduced security risk.
Thank you to Peter Moessbauer, of Infosim, for the article.