Stop wasting time and get easy access to information with strong Firewall Policy Management.
Let’s start off with some questions:
- Is your firewall secure? Is it compliant? How do you know? Can you prove it?
- Do you have quick and easy access to audit information and to data on the security impact of firewall policies?
- Are your firewall policies effective?
- Have your firewalls been optimized to eliminate unnecessary firewall policies from slowing down your network traffic?
- How much time do you spend on change control associated with firewall policies?
- How much time do you spend on false positives monthly?
- Is automation and orchestration part of your current or future strategy?
To tackle the chaos associated with network security policies with emphasis on firewalls, CDA takes a wholistic approach to the solution addressing the people, processes and platforms required to maintain a disciplined and structured program.
In this blog article, we share best practices around developing a cost efficient, highly secure, and sustainable “Firewall Policy Lifecycle Management” Program (“FPLM”).
We love firewalls and we hate firewalls. We love the protection they provide but hate the level of scrutiny and administration required to keep them compliant. Firewalls are a critical part of any corporate IT environment.
Firewalls and the associated network security policies provide protection and visibility to and from the world outside of your corporate walls. While firewalls are vital to protection, they can also become your worst enemy when poorly managed or maintained.
Getting your arms around managing multiple firewall vendors, policies, administration, and the agility required by your business objectives can be a daunting task for any organization.
To address the challenges of achieving compliance, security, performance, and operations aligned with IT and security objectives you need a program to manage the lifecycle. We call this a “Firewall Policy Lifecycle Management Program” or “FPLM Program” for short.
The high-level goal of this plan is to develop a policy and implement that policy in such a way that the policy is visible and easily understood and used as part of the platform to govern and report on risk.
What you see in the image below is an example of how we help customers map their “zone to zone” communications and evaluate security risks.
FPLM Best Practices
CDA Best Practices for developing a strong FPLM Program follow 4 repeatable steps:
- Build & Test
- Knowledge Transfer
In each step we address people, process and platform.
The goal of the analysis phase is to understand the roles and responsibilities of the people supporting the environment, review the requirements and use cases driving the current firewall policies, and to evaluate current processes and platforms.
This simple step can make a huge impact – streamlining change control procedures, reducing false-positive notifications, improving network performance and clearly communicating the requirements for accurate and auditable information needed to prove the security of the environment.
Deliverables should include:
- RACI (Responsible, Accountable, Consulted, Informed) Matrix to identify roles and responsibilities
- Document the security, compliance and audit requirements and the use cases they address
- Evaluate existing processes and any automation and orchestration in use
- Evaluate the infrastructure
- Build a detailed inventory list including business and technical contacts
- Identify gaps, redundancies and opportunities for reduction in processes and platforms.
CDA provides multiple firewall policy design services from green field to re-design protecting the devices in your organization from unwanted network traffic that gets through the perimeter defense or that originates from inside your network.
Our goal – improve visibility and security of your firewall policies while clearly defining risk and reward for the design recommendations.
- Design processes based on roles and responsibilities to support use cases and requirements. Empower your employees to do meaningful work and provide the visibility and guidance your organization needs for good teaming.
- Design a unified security policy that meets compliance and corporate objectives.
- Design platforms required to support the separation of duties, use cases and requirements.
- Prioritize design recommendations with risk, reward and cost analysis.
Build & Test
Build work should be conducted in line with the prioritized recommendations identified during the design. Implement fast, easy, low cost wins first when security and compliance are not factors. Offload the work your team doesn’t want to do.
- Build the workflows to support consistent deployment
- Build the core components for the platform
- Firewall and Network Policy Management Platform
- Build the components necessary to support the processes and platforms:
- Change Orders, Ticketing/Support
- Alerting, Monitoring, Reporting
- Ingest and configure the devices to be monitored and managed
- Syslog Configurations
- Test the workflows and processes to ensure all requirements are met and documented.
- After testing, the overall program is ready for deployment.
It’s easy for IT teams to focus on the hardware, software, and technology needed to do the job for them and to neglect building structured processes and assigning roles and responsibilities to the most capable teams.
This neglect creates a lot of risk and audit issues for businesses that are governed by regulations e.g. DISA STIG, GDPR, HIPPA, SOX or NIST.
Not only do we transfer knowledge on the platform (hardware and software) we educate the team on the agreed upon processes needed to maintain compliance above and beyond the actual firewall configuration tasks.
Knowledge transfer and communication across the IT team is important to success. Below is a table outlining the roles to target and the benefits they’ll see: