Posted on Apr 2nd, 2012 by Michael Hamelin

Firewall Change Management

Over the years, many have proclaimed the death of the firewall, but it has yet to happen. In fact, with the advent of next-generation firewalls and the availability of mature solutions that automate firewall management, the firewall is undergoing something of a renaissance.

If you have ever looked at a firewall rule and wondered how it got there, or have been afraid to delete or modify a firewall rule because you were concerned you might break something, then you might want to think about elevating your organization's firewall management efforts to a higher level.

Regardless of whether you have one or 100 firewalls, creating a repeatable, sustainable process for firewall management can bring immediate time and cost savings and improve an organization's ability to manage its network security risk and compliance posture. The maturity model below can help. The stages are based on evaluating how almost 1,000 companies have improved firewall management within their organizations - where they started, how they moved forward, and how they measured their own improvement.

Because these stages should apply to any business of any size in any industry, there is no finite set of requirements to advance from one stage to the next. The idea is that you can use this model to help gauge where your organization sits on the firewall management maturity curve and how to move it along.

Stage One: Immature

At the lowest end of the scale are companies with no method to the madness. Changes are made as they come, and the process is mostly, if not completely, manual. For example, suppose a company pushes out seven new rules and changes to 30 objects within existing rules; mistakes could be not only explosive but also difficult and time consuming to correct. How do you know you're in this bucket? Well, if you answer "yes" to more than three of scenarios listed below, then chances are you're at level one and you can benefit dramatically from firewall change management process improvements.

  • You look up a change and have no idea why it was done or who did it.
  • You look at a rule and wonder how it got there.
  • Team members don't know why rules are on the firewall.
  • Everyone is afraid to make a change to anything that exists.
  • Every new rule is added to the top of your rule base.
  • Firewalls are slow - rule bloat causes the device to take a long time to install a policy.
  • You/your team spend a lot of time making sure changes work.
  • A noticeable number of changes need to be redone.
  • You are afraid to acknowledge what is not being done.

Stage Two: Emerging:

Emerging companies are those that are starting to put some structure and reporting around their firewall monitoring and change management efforts. Process automation is already underway and those involved are interested in making improvements.

Instead of wondering why a change was made or what might happen if they delete or move a rule, firewall admins at emerging companies spend their time determining if a new access request should be met by changing an existing rule instead of crafting a new rule, or if changes can be grouped by service or destination.

Emerging companies are likely to be using Excel and/or Word to manage changes. With some degree of audibility, they have visibility into metrics such as how many new rules, new objects, changed rules and modified objects occur during each change window. While they have much less security and compliance exposure than immature companies, they can still benefit from additional process automation. Here are some signs you are at this stage:

  • Too much time is spent looking up data in spreadsheets.
  • Documentation is messy and filled with errors.
  • While there is more confidence around implementing changes, there are still concerns that deleting rules will break something.
  • Optimization is welcomed - it's understood that rule bloat is simply the nature of having mature systems and it's a good thing to start streamlining them.
  • Attention is given to change management processes - since ticketing systems don't account for the details for firewall changes, admins start to track them themselves.

Stage Three: Mature:

For the most part, mature companies have already implemented three things:

  1. An automatic system for monitoring configuration changes with accountability info. Basic items such as who made each change on every firewall and when they made it are documented and auditable. Firewall rules can be automatically analyzed for risk and compliance, and the benefits of automation are quantifiable - at least anecdotally.
  2. An optimization strategy. Teams are in maintenance mode, as opposed to undertaking a major initiative to clean out the rule bases, and have the people, process and technology resources needed to execute.
  3. Automated or semi-automated firewall change management processes. There are set change windows and an established (ideally automated) workflow process for change management that includes risk and compliance analysis for any given change request.

Firewall administrators at mature companies have made significant strides on the operations side and are focused on fine-tuning  - especially when it comes to change management. However, despite process automation, they still lack business context. There is little or no communication with the business units, which is why change management is still difficult.

Stage Four: Highly Mature:

Highly Mature organizations have successfully implemented structure around their firewall operations and change management efforts. Instead of looking at the risk stemming from a single firewall, teams are assessing the risk posed by groups of firewalls, risk per zone, etc., and spending less time per change. All the details surrounding where to place a change in the rule base are automated and executed within established change windows, and changes on a firewall are automatically reconciled with ticketing systems.

The time and motivation exists to assess change management processes for business risk.  Firewall administrators see themselves not just as engineers but also as contributors to the business. As a result, they are better equipped to respond to business changes via new compliance ands risk-related rules or processes.

For example: A business decides it is going to start processing credit cards and the firewall team should be able to understand how that will impact them. Where do they need to store the Personally Identifiable Data (PII)? How will they protect it? When should they start with quarterly PCI audits?

Other signs you have arrived at stage four:

  • Firewall audits are fully automated, and no longer dreaded.
  • You start hearing terms like "continuous compliance" used regularly.
  • You can easily communicate about progress and improved integrity of systems.
  • Because there has been positive feedback, teams are motivated to communicate improvements.

Highly mature companies understand the impact IT can have on the business. Investments in IT Security, unlike most other areas of IT, are not intended to generate revenue and, as a result, in some organizations are perceived as a financial black hole. However, firewalls are core technology, and with the advent of next-generation firewalls are just as relevant now as they were 15 years ago, if not more so.

Sometimes, good business simply involves applying common sense. In other words, why invest in a new set of less proven security technologies when you can dramatically improve the performance of and ROI on an existing investment? Investing in firewall management can deliver transformative results - especially if yours is a stage one organization - and can set the standard for how IT Security can and should function within a business context.

So why wait?

Michael Hamelin is the Chief Security Architect at Tufin Technologies.