How to manage your multivendor firewalls like a pro

He said the AlgoSec gear generates reports that let him know whether his firewall rule sets are within the range of compliance standards set for PCI.

AXA is more concerned about SOX compliance, and Raymonda uses the AlgoSec software to assess the risk of new firewall rules proposed by AXA operating companies.

Those risk-assessment reports are reviewed by the requesting operating company, which determines whether the risk is acceptable in light of Sarbanes-Oxley requirements, he said.

The software can gather data for risk assessment from multiple firewalls based on a single instruction. So if he needs to assess a new rule for external firewalls, he doesn't have to deal with each one individually. Instead, the AlgoSec platform deals with them as one group and analyzes it, saving time and reducing errors.

"Everybody has made an error here or there in positioning a firewall rule," he said. "To have [Firewall Analyzer] do the calculations of literally millions and millions of potential access methods and evaluate it and come up with a risk assessment is just a godsend."

Raymonda said he has the AlgoSec software configured to poll firewalls regularly on its own to perform routine compliance checks.

These third-party platforms can also help find all the rules that apply to individual devices, which come in handy for Forester, who is moving Emdeon servers from Nashville to a new data center in Memphis. Tufin's SecureTrack software finds all the existing firewall rules pertaining to each server so the rules can be transferred to the Check Point firewalls located in Memphis, he said.

In general, Gartner said businesses should stick with a single firewall vendor, but it also realizes that is not always practical in large companies, Young said. Keeping firewalls optimized and compliant without these tools is a much greater task, he said.

Alternatives that are used by businesses are generally manual, including making entries about changes in Excel spreadsheets that have to be analyzed by hand. He said these lists get out of date and then administrators have to look around for the information they need. "Some of it may be in the Check Point console and then Fred knows what's happening on the Cisco console," Young said. "Nothing will ever replace a really knowledgeable firewall administrator, but it removes complexity."

For large companies, the software probably makes sense, he said. A business that might spend $10 million to $20 million on firewalls, for instance, would spend about $50,000 on these tools, so it represents a proportionally small investment, Young said. The demand for these products is not enormous, and the total sales for this type of product is $100 million or less, he said.

"It solves an irritation problem rather than being a show-stopper. It adds oil to the machinery," Young said.

Reprinted with permission from

For more information about enterprise networking, go to NetworkWorld.com
Story copyright 2009 Network World, Inc. All rights reserved.