Good and bad experience - A case study of the use of AlgoSec FireFlow.
The Good:
· Cut turnaround time on firewall rule changes from weeks to days.
· Improved network visibility via policy discovery, map and traffic simulations.
· Increased accuracy of firewall changes with improved network security.
· Highly improved traceability and accountability in the firewall change process.
· It is easy to customise AlgoSec FireFlow to a quality system.
The Bad:
· Lots of time was used to build and maintain the topology database (the network map). This is the foundation for the magic to happen. If the topology is wrong, the path discovery and automatic selection of Firewalls in path / in scope for the change can be incorrect.
· A decommissioning feature is missing in FireFlow, separate unused rules can be found and decommissioned via the AlgoSec Analyzer, but the FireFlow product does not have a feature for decommissioning of a complete FireFlow ticket.
· The system has a so called roll-back feature, but this is implemented very simply just by a restore of the complete configuration. In practice, this feature is not useful. If a FireFlow ticket is implemented, and it is discovered that some of the data in the ticket was wrong, it is not possible to roll-back the mistakenly implemented firewall rules. The cleanup is a manual task that can be time consuming.
Challenges in this case story:
To reach the goal and have the above highlighted business impact, several challenges were faced during the first year of deployment.
One of the best lessons is that the AlgoSec FireFlow system is only accurate if the network topology is complete and accurate. We would have to spend a lot of time tweaking the network topology to make it accurate.
Another challenge was software bugs. AlgoSec technical assistance center was keen to help fix the software defects, but still it was time consuming at times when software defects were disturbing normal operation.
Results
Firewalls need constantly maintained rule changes and security assessment in order to adapt to the ever changing business and threats. We see our decommissioned business applications, new factories or sites that are build, etc.
This altogether brings a heavy workload on the security department.
Now the firewall maintenance tasks scale with existing staff.
Firewall rule changes take days and not weeks.
The most significant benefits we achieved were:
· All firewall rules match exactly the planned action
· All stages of a change are now accountable in the history/audit trail of the change
· No time spent on already working change requests
· Full visibility into the network path of traffic
The intelligence provided by the AlgoSec system, and easy accessible security controls are significant, reducing the time spent in the periodic security assessments carried out.
in the AlgoSec product:
Over the last couple of years we have had several missing features in the product that prevented us from reaching the full extent of automation from a start. However, most of the missing capabilities are today in the product.
Remaining is a better support for decommissioning of firewall rules and applications. This is high on our wish list.
Challenge
As responsible for the network infrastructure and security on more than 95 firewalls. The network infrastructure and security must follow the same strict regulated quality guidelines as the main business area itself.
The most central aspects of strict regulated quality are:
Traceability: the ability to reconstruct the development history of the products.
Accountability: the ability to resolve who has contributed what to the development and when.
Firewall change management in this environment is time consuming and cumbersome.
Each firewall change took several weeks with high cost. Many firewall rules were build unnecessarily wide due to complexity in network.
Many changes were performed for already working traffic. Human errors in creation of firewall rules put the total security at risk. The validation process was cumbersome and error prone.
Solution
We succeeded in automating the flow in the change process with full traceability and accountability. AlgoSec FireFlow was integrated with the surrounding quality system using the great customisation capabilities, and is now used as the main change management system for all infrastructure changes to Switch, Router and Firewalls in the production network.
We took advantage of the AlgoSec system's ability to add intelligence in all stages of a change.
This raised the accuracy of firewall changes.
Disclosure: My company has a business relationship with this vendor other than being a customer: I have been working as a contractor for the Customer for 2 Years building and using the AlgoSec FireFlow
My company originally sold the solution to the Customer, however my role has been operation and maintenance at Customer site each day for the last 2 Years
Sonia Pinho