Federal Agency Firewall Management with SolarWinds Network Configuration Manager & Firewall Security Manager. Follow SolarWinds:

Transcription

1 Federal Agency Firewall Management with SolarWinds Network Configuration Manager & Firewall Security Manager

2 Introduction What s different about Federal Government Firewalls? The United States Federal Government, compared to most commercial organizations, relies on a disproportionally larger number of firewalls to carefully restrict access to information. With the large number of firewalls that are installed in multiple locations in the IT infrastructure it is critical that they are all configured properly to provide the protection they need while allowing appropriate access to achieve the mission. Not only are there more firewalls in federal government agencies, these firewalls are installed in many places in the network to limit access to information within a single agency. In federal government IT access is heavily restricted even within the same organization. Also, when you add into the mix the fact that the Internet Protocol (IP) is designed to route packets dynamically, it is possible that a firewall intended to block particular access could be inadvertently routed around through a different firewall (or set of firewalls) that may end up allowing access to the restricted information. Making things even more complex, routers may implement Access Control Lists (ACLs) that provide some of the functions of firewalls, so routers may also need to be looked at as a type of firewall device. And finally, due to typically high turnover of IT contractor personnel, the institutional memory of the firewall architecture and firewall strategies cannot be relied on. The end result is typically a complex architecture of multiple firewalls and routers that have the potential for overlapping and contradictory rule-sets. Because of this, today at most agencies there is a complex architecture of firewalls that are in place and that seem to be working okay. But every day new requests to change firewall rules are made. And people that may not understand the entire firewall architecture are making those small changes to the rules every day. If you are responsible for firewall security in a large government organization, there are probably some days you might think it is time to look for a less stressful line of work. Or are wishing that there is a technology that can look at all your firewalls and routers and how they are configured to provide you the information you need to maintain security, compliance and appropriate access to information reducing your sleepless nights. Managing Firewall Complexity The good news is that easy to implement, cost-effective technology is available to help you manage your agency s complex firewall configuration. SolarWinds Firewall Security Manager (FSM) and Network Configuration Manager (NCM) can work together to provide excellent visibility to the current state of your firewall and router configurations, provide guidance on how to improve those configurations, and help make future changes in a more secure and controlled way. Now, let s dive into more details and how this can work for you. To effectively manage and protect the enterprise network assets being controlled by firewall devices, it is essential that administrators have access to the latest configurations and understand what they contain. Some of the activities firewall administrators do on a regular basis are: Allowing access such as making a new program, project or department available to another agency or a contractor Providing new users and new networks with access to internal/external IT assets. Adding services Allowing a new service to a critical host 2

3 Infrastructure changes Maintaining service availability Blocking services Blocking access These day-to-day activities are often interrupted by other tedious, manual and time consuming initiatives such as: Tuning the firewalls to get optimum performance Compliance Reporting. Making sure that specific agency policies defined by the Security officer and/or government regulations are not violated Cleaning up the rules, as the rule size becomes immense and very difficult to manage Preparing for a firewall audit and responding to queries from a firewall auditor. Getting ready for a FISMA / NIST or DISA STIG compliance audit! Migrating a firewall configuration to a different type of firewall Firewall Management Challenges for Federal Government Network complexity has evolved rapidly over the last 10 years. Today s networks consist of many different network devices (firewalls, routers, switches, etc.) from many different vendors, with many access mechanisms into the network (wireless, mobile devices, , and web portals for citizens, employees, warfighters, and industry partners, FTP servers, and peer-to-peer applications and communications) all introducing security risk to the enterprise. Firewalls continue to be one of the cornerstones of network security and, as such, have become more sophisticated and complicated to operate and manage resulting in a number of challenges for the IT professional. Organizing the rule base to support the mission Maintaining compliance with security policies Understanding the impact of changes Managing a multi-vendor environment Dynamically changing networks, evolving needs of the agency, and emerging external threats all drive the need to add or change rules. Ideally, these rules would be added to the firewall in an organized manner and enhanced to suit specific business purposes. Unfortunately, that is not reality. Rules are added in an ad-hoc manner and the collection of configurations across the network eventually becomes a disordered, chaotic mess. Adding to this complexity, the typically high turnover of Federal IT contractors reduces the institutional memory of why certain rules were created and how those rules were implemented in the network security architecture. Manually understanding the effect of rule additions, changes, or disablement is not only painfully tedious, it is error prone. As the rule base increases, the number of possible combinations explodes. For example, we have observed rule bases consisting of a total of 875 3

4 rules with 125 Deny rules using almost 4000 address objects/groups and 800 service objects/groups has hundreds of thousands of combinations. If there are many overlaps between the rules and if the rule base is sprinkled with many rules blocking dangerous services then it becomes virtually impossible to figure out the impact of each rule manually. In most networked environments, firewalls from multiple vendors exist to provide security defense-in-depth. Even though firewalls from different vendors serve a similar purpose, their design and architecture are different. Cisco firewalls, for example, have rule sets that can be enforced on an entering or exiting interface of the traffic as well as a NAT control feature that serves as an additional access control function while Juniper NetScreen firewalls enable users to apply rule sets based on the origination zone and the destination zone. It is rare to have firewall administrators who have an understanding of all firewall types and this will introduce inconsistencies in policies deployed to the firewalls and without a unified view of what exists in these firewalls, one cannot easily compare rules. Additionally, there is no unified interface for accessing and managing these firewalls across vendors; they are often managed from separate consoles and getting access to the configuration or pushing changes might often involve logging into the device using SSH or telnet. Federal Government firewall architecture also typically has multiple firewalls within an agency or department to further control access to information. The end result is that when any two computers communicate with each other in a Federal Agency or Department there is a good chance that the packets flow through two or more firewalls, and in fact the firewalls in each direction of packet flows may even be a different set of firewalls. IP routing allows packets to dynamically change their path so the firewall rules need to be created with a detailed understanding of the possible routing paths so all possible routes are covered with appropriate rules. This additional complexity due to having multiple firewalls with multiple possible routes through those firewalls makes manual analysis of firewall rules in a complex Federal Government IT environment virtually impossible. Firewall Analytics As mentioned above, firewall configurations can easily grow very complex, especially in the Federal Government where access to information must be carefully restricted even within the same agency or department. Managing firewall configurations for multiple vendors that are trying to protect multiple routes to critical data makes this an extreme burden. What is needed is a technical assistant, if you will, that understands the science of firewalls. This assistant is the firewall analytics tool. It completely understands all components of the firewall configuration for meaning and intent and an ideal firewall analytics tool can provide the following help to the firewall administrator: Firewall Profile - Scan your firewall inventory to quickly identify high risk firewalls, assess your risk profile and make specific recommendations for changes Security Audit and Compliance Reports Automatically evaluate firewall rules for compliance with industry best practices from NSA, NIST, DISA STIG, SANS and others. Allow compliance rules to be modified to address ever-changing compliance requirements such as DISA STIG and FISMA/NIST. Search Existing Rules to Avoid Duplication - Advanced rule search (by names or content) to aid the user in determining if rules are already in place for that object and whether these existing rules can be modified for a specific change request, or if new rules really do need to be added for that change request. Without this ability, the quick solution is to just add new rules 4

5 this could easily duplicate existing rules or add new rules that increase the size and complexity of the rule base. With this analytic function, administrators can adeptly change existing rules instead of always adding new rules. Rule/Object Cleanup & Optimization Analyze firewall rules and actual usage logs to identify redundant, overlapping, and unused rules. Through rule analysis, the user can maximize the opportunity for cleanup by catching every possible case of redundancy. Redundancies represent errors in the configuration that play no role in the firewall s behavior and can be immediately removed. Usage analysis looks at the rules and objects usage based on hit counts and traffic data for a given period of time. This is useful to remove temporary rules and rules that are no longer needed. Additional improvements can be achieved through rule re-ordering that takes into account all rule dependencies so that performance and readability can be improved while ensuring the firewall s behavior is not adversely impacted. Change Impact Analyze (or model) the impact of a change before a change is actually pushed to the device. Accurate impact analysis will help in better understanding the impact on service availability as well as the inadvertent exposure of any security holes. This also will result in few configuration changes and less rule bug fixing. Historical Rule Tracking Maintain a history of the business justification for each firewall rule as well as tracking the rules that have changed over time. This is especially critical in Federal IT where turnover of IT contractors tends to be high. Automated Compliance / Audit Reporting Provide daily automated reports of compliance with security requirements. Allow the compliance policies to be edited so they can reflect the latest DISA STIG and/or FISMA/NIST compliance requirements. The Role of Configuration Management Firewall analytics are only one of the tools required to ensure optimal performance and health. Automating the process of configuration changes, change detection, device management, and compliance reporting through a Network Change and Configuration Management (NCCM) tool will greatly simplify the firewall configuration process and reduce the risk of human error. A good NCCM tool should be able to do all of the following for all types of network devices (firewalls, routers and switches) even in a multi-vendor environment: Automatic Config Backups automatically backup firewall device configurations as well as router and switch configurations on a regular basis (daily typically) Policy Violation Detection & Reporting automatically generate daily FISMA/NIST and DISA STIG compliance reports for all of your firewalls, router and switches based on the most recent configurations Real-time Alerts when configuration changes occur, automatically track who made the change, what changes were made and notify appropriate people User Roles, Permissions, and Activity Tracking protects against unauthorized firewall config changes and provides audit trail of who made what changes and when Config Comparisons & Rollback identify and repair unauthorized and failed configuration changes with a side-by-side comparison 5

6 Change Management simultaneously modify configurations across multi-vendor devices without the need for complex scripting and CLI commands. Unified Interface across all firewalls in the network eliminates the need for device specific utilities How do SolarWinds Network Configuration Manager and Firewall Security Manager help? SolarWinds Network Configuration Manager (NCM) is the configuration management solution and SolarWinds Firewall Security Manager (FSM) is the firewall analytic solution that work together to automate much of the work firewall administrators need to do in the Federal Government. NCM and FSM can be used to automate many of the tasks firewall admins must do to maintain security in their agency networks while ensuring compliance with the appropriate requirements such as FISMA/NIST or DISA STIG. SolarWinds NCM automatically downloads and checks the configuration of the individual devices (firewalls, routers, and switches) to ensure they are configured according to compliance requirements. For example, NCM can check that the configuration file specifies that only SSH can be used by an administrator to connect to a firewall and that TELNET access is disabled to that device. Many of the DISA STIG compliance checks and FISMA compliance checks can be downloaded from the SolarWinds User Forum (thwack.com) and applied to your NCM instance. In compliment to this, SolarWinds FSM looks at the firewall rules across multiple firewalls and routers simultaneously to analyze, detect and report on the effectiveness of those rule sets and the compliance of those rule sets. A suitable analogy is to think of your entire set of firewall configurations as a complex piece of writing (paragraph, composition, or white paper), in which case you can think of NCM compliance reporting as a spell checker for your firewall configurations, and FSM analytics as a more complex grammar checker for your firewall rule sets. In other words, NCM can automatically check if certain regular expressions are in the configurations, while FSM parses the entire set of rules and analyzes how those rules work together to maintain compliance. By using SolarWinds NCM and FSM together, you can more effectively manage firewall configurations and the changes that are made to these firewall configurations, while maintaining compliance with the appropriate security requirements. 6

7 Agency Network Firewall Security Manager SolarWinds Network Configuration Manager delivers affordable, easy-to-use network change and configuration through a full-featured, web based console that offers point-and-click simplicity and easy access to firewall configuration data. NCM simplifies managing network configurations by continuously monitoring device configurations and providing immediate notification of configuration changes to help resolve problems before they impact users. Simultaneously modify configurations across many multi-vendor firewalls through automated bulk-change management Receive real-time network change notifications when firewall configurations change Detect firewall config policy violations to ensure compliance with federal requirements such as DISA STIG and FISMA/NIST Compare configurations and restore to a previously known state 7

8 Automatically backup firewall configurations on a scheduled basis Inventory network devices and create detailed reports. Schedule jobs to update configurations each night, execute command scripts, remotely reboot devices, and run reports. Using SolarWinds FSM, you can completely understand what is inside your firewall, its current behavior or the impact of a change you plan to make. SolarWinds FSM offers a virtual environment, disconnected from the actual network, to accurately simulate the behavior of data packets on the network. FSM can determine whether a change is required, and if so, it identifies the specific devices on the network and the precise rules that require to be changed. Before a change is deployed to production, you can model the impact on traffic flow without injecting any data into the network. Once a change looks satisfactory, automated scripts can be pushed through SolarWinds NCM. For maintaining compliance, you can update the business justification for modified and added rules, and track a rule throughout its lifecycle. Firewall Security Manager offers powerful filtering capabilities for isolating policies by rule and object content. Automated scripts can be used to clean up the 10-30% of unnecessary rules that exist in most firewall rule bases. Apply a recommended optimized rule order that increases firewall performance while keeping firewall behavior preserved. Integrated for More Automation SolarWinds FSM is available standalone or as an integrated firewall management solution with SolarWinds NCM, giving users the power to establish a fully automated daily download of all configurations for backup, change reporting, compliance reporting and detailed firewall rule security analysis to include compliance with evolving Federal Government requirements. With SolarWinds quick to implement, cost effective technology you can manage your complex federal firewall configuration to easily access all the information you need to maintain security, compliance, and appropriate access to information. Who is SolarWinds? SolarWinds provides powerful, simple and affordable network management software and network monitoring software to more than 95,000 customers worldwide -- from Fortune 500 enterprises to small businesses. Focused on the real-world needs of network professionals, SolarWinds products are downloadable, easy to use and maintain, and provide the power, scale, and flexibility needed to 8

9 manage today's complex network environments. SolarWinds' growing online community, thwack, is a gathering-place for problem solving, technology sharing, and participating in product development for all of SolarWinds' products. Download a free, fully-functional 30-day trial of SolarWinds Network Configuration Manager and SolarWinds Firewall Security Manager. SolarWinds IT management and monitoring software for government is available on the GSA Schedule and numerous other contract vehicles. From the data center to the field, take control of your IT infrastructure quickly and easily and start delivering increased services for less! Contact us today for more information: federalsales@solarwinds.com or solarwinds@dlt.com 9