Posted on Sep 14th, 2017 by Karen Crowley

Firewall administrators are inundated with change requests – so much so that they lack the visibility they need and don’t have the luxury of time to investigate all the implications a change may have on the network.  In an enterprise network, there are often multiple firewalls, and most organizations have moved or are moving to the cloud, adding more complexity and increasing challenges for administrators.

This lack of time and resources to efficiently manage network changes leads to:

  1. Outdated, unused, redundant, shadowed or overly permissive rules
  2. Significant problems with performance degradation
  3. Increased attack surface
  4. Lack of visibility into network and security policies
  5. Inability to prove compliance resulting in an audit failure and hefty fines
  6. Users and DevOps circumventing the system because provisioning takes too long

Automation is key to break the cycle and provide firewall administrators with more time to perform higher level functions to increase overall security. The problem is that most organizations are not taking a systematic approach to automation that is sustainable over the long term.  We recommend you begin by automating tasks that will have an immediate impact on your organization. Starting small and building on success is the only way to build true end-to-end automation.

Start with firewall administration automation:

To begin your journey to automating network configuration changes, focus on the most time-consuming tasks first.

  • Firewall administrators spend a great deal of time managing change requests, leaving little time to optimize the network and ensure security. With the pressure to provide users access, everyday tasks such as rule decommissioning and server decommissioning are often the lowest on the priority list. These tasks, however, hold great value to securing the network against threats.  Automating these functions will increase visibility, improve performance, strengthen security, and ensure you meet compliance mandates.

The top three firewall tasks that Tufin automates out-of-the-box are:

  • Rule Decommissioning
  • Server Decommissioning
  • Object Modification

Next, pay attention to policy-based automation

  • Policy is the key component in maintaining the security posture of the network while improving the efficiency of firewall administration. Manually determining whether a new rule change violates or complies with the policy is tedious and error-prone. Using Tufin’s policy-based automation solutions, rule changes can be analyzed, designed, and provisioned quickly and accurately.

Finally, incorporate a business-based approach with application-driven automation

Changes to network access rules may lead to application downtime and revenue loss. Managing and troubleshooting connectivity becomes even more challenging in a heterogeneous network. In addition, visibility into the application on the network is challenging.  An application-based approach to automation ensures  that an application:

  • Complies with existing policy
  • Enables rapid application onboarding, changes, and decommissioning, and
  • Simplifies application connectivity throughout the network

Complex hybrid enterprise networks with multi-vendor firewalls will greatly benefit from automation that begins small and builds. Network security policy automation of firewall administration ensures that you can prove both internal and external compliance and pass your next audit. By taking a systematic approach to automation, you reduce the complexity of your network, make changes in minutes instead of days or weeks, and free up your firewall administrators to focus on tasks that will improve the performance of your network.

Read more about network automation in this blog post on Gartner’s Market Guide for Network Automation.