I am a contractor and I work on security. At this company, we primarily use FireMon for firewall rule analysis and as part of our firewall rule certification process.
Our environment is on-premises using VM hosts.
I am a contractor and I work on security. At this company, we primarily use FireMon for firewall rule analysis and as part of our firewall rule certification process.
Our environment is on-premises using VM hosts.
With respect to compliance management, this product does cover some of the compliance factors, although not all of them. For example, in terms of accountability, it has all of the data available for third-party rules and auditing. It can produce a comprehensive report. However, compliance has its own set of requirements.
We planned on having divisions for about 400 days but at 700 gigabytes, the file size was too large and it was interfering with our database backups. Consequently, we had to cut it down to 100 days, which means that we're missing 300 days of divisions. The fact that we no longer had a complete view of 400 days of data was a setback for us. Otherwise, the metadata has been pretty handy.
We do not run assessments on new firewall rules before they are deployed, but we can set it up in such a way that compliance can be checked automatically once we push a rule to the firewall. If there is a problem then the new rule will be flagged. As it is now, we do all of the compliance assessments manually. The reason that we don't use the compliance module in FireMon is that it creates a heavy load on our CPU.
Prior to FireMon being implemented, the company had Tufin running to conduct assessments. They were flagging some rules, based on the subnet categorization that is defined in Tufin. However, those kinds of assessments were not really accurate. They also weren't making any changes to the rules that were problematic.
When they brought in FireMon, we started to run reports that are pretty precise. They were more accurate, and based on the firewall zone definitions. We began to flag rules that made sense and we also started to analyze them. Afterward, we were able to get rid of a lot of risky rules. There were a lot of shadow rules identified that we cleaned up. The agenda was to make sure that the security compound or security footprint within the company is safe.
For this task, FireMon has been very helpful in terms of flagging such rules so we can drop them and improve the security of the infrastructure.
FireMon has improved our compliance process in terms of the time and effort required to create compliance reports. As far as the rule recertification is concerned, it's made it easier for us because it's just one click to explore the metadata of each firewall rule and its information. For example, we use owner fields, technical descriptions, review dates, next review dates, and exceptions, if there are any exceptions. With all of the metadata in place, it can be given to the compliance team.
This solution has helped us to decrease errors and misconfiguration that increased risk in our environment. By using the system that we did to flag risky rules, we were able to identify problems and mediate or eliminate them. We are still working on this but at this point, we have completed 80% of our cleanup. It has been helpful.
FireMon helps to identify and prioritize fixes, although we do the repairs manually. This is something that is necessary when you consider our network and how our firewalls are configured. FireMon does provide suggestions and we make use of them, but we conduct our own manual analysis in addition to the reports. This acts as a valuable double-check for us, which is very important for our security posture.
The most valuable feature is that everything is recorded in the historical logs, including the firewall rules, hit counts, object-level usage, and the rule documentation. The rule certification details are also there, which means that someone can be held accountable for a specific firewall rule.
The logs product documentation and metadata that is very useful for compliance purposes.
Usage reporting, including hit counts, is helpful for analysis. It comes in very handy when we can see how the firewall rules are being used because it can help us clean them up.
Fireman has helped us in terms of being able to clean up firewall rules in a large environment, first of all, by helping to identify the risky rules. Rules are flagged using the filters, based on the zone metric definitions. We then refer to the object usage reports that we get within a group, along with the traffic analysis that we get from Splunk, and all of this is considered when it comes to making a decision. The rule might stay the same, be modified, or be dropped. FireMon has given us the extra ability to be able to do this.
We have not used the Policy Planner but even so, we have identified areas of improvement with it during our testing. For example, it could be better when it comes to ease of integration or ease of policy automation. Another problem is that there is a console where it has too many options and is not very straightforward. Essentially, controlling it could be made more seamless.
We have been using FireMon since the start of 2019.
Stability-wise, we did not have any issues.
There are no issues with scalability.
We have different business units in different countries. For example, we have users in Hungary and they're a different business unit. They're not given access to the firewalls or Panorama, although they were given access to FireMon where they can view the policies related to the Hungarian firewalls. There are between 10 and 15 people in the Hungarian business unit that use FireMon on a regular basis and their role is to view the policies.
We have a few people from the NetOps team and the network technical center team that use the rule certification process, and they collect statistics on rule usage. These teams have mid-level privileges on the system.
I have superuser privileges, and there is one other person that has the same access I do. He uses it for documentation on the firewalls for our offices in the Netherlands and Poland. Aside from these, we have other people who use it more generally for things like viewing rules.
FireMon is being extensively used within the company and we have a few new users being onboarded next week. They are part of a third-party contract and the user count will increase, although I don't think that any new modules will be added.
I would rate the support a nine and a half out of ten.
They were really proactive and helpful in terms of support when we had issues. The servers have been pretty good and we haven't had any problems with them. There will be minor bugs and all of that, but they're always helpful and things get fixed with the next release.
Prior to FireMon, the company was using Tufin.
The reason that we switched is that somebody in the company decided that they wanted to have a one-stop solution for pushing the policies to the firewall, and for automation of policies to facilitate compliance. FireMon had the capability, which was proven with a PoC.
Everybody liked the solution and that's why it was implemented. Ultimately, the one-stop solution was not used because, with our Palo Alto firewalls, it has been decided that Panorama will push the rules, rather than FireMon. At this point, I can't see that changing in the future. Panorama is not going anywhere because that is how the firewalls are managed. At the same time, they wouldn't want to rely on FireMon to push rules to Panorama, so this is why the system will stay as it is.
Overall, however, the capabilities are better compared to other similar products.
The basic implementation was straightforward but when you're talking about configuring the servers and all of the other steps, for a tool of this size, it's never straightforward.
For example, when configuring the servers, you will still have minor or major issues that you have to tackle or have to fix during the initial implementation. It may be straightforward to do so, but fixing problems will always lead to other problems in the process.
Overall, it was an easy implementation, but at the same time, it was ongoing. Our deployment did not take more than a month to complete. This included adding the firewalls from Check Point, which was done in advance of setting up FireMon. We had to set up the CPMI log collectors and then configure the Check Point dashboard to forward all of the logs to FireMon. Although it was time-consuming, I think it took less than 20 days in total.
With respect to our implementation strategy, we followed a basic approach. We started with installing all of the servers, and then we had to move all of the devices from Tufin to FireMon. We had three vendors including Cisco, Check Point, and Palo Alto.
We added each firewall vendor separately and we made sure that all of the logs were being forwarded to the data collector. This is where we get all of the log data hit counts, and we have to make sure that all of the devices are being retrieved successfully, without any issues. We also had to ensure that nothing was impacting the performance of the servers and there were instances where we had to wait for the specifications of the server just so they could meet all of the performance requirements. For example, the retrievals and all of the log data had to work properly.
All in all, there were a lot of steps and we had to get support tickets throughout. Thankfully, the support was great. They were very helpful during the initial implementation stage.
I was part of the implementation, testing, and onboarding processes. I have been part of the day-to-day operations, as well. I am the only person doing the maintenance and taking care of the tool.
Maintenance involves upgrading the servers, and we have to make sure that all of the backup files are generated on time. Also, we have to check that they are being transferred via SFTP to our backup server. Basically, we have to make sure that the servers are healthy and nothing's causing any problems.
This is an expensive solution. The cost of three modules for three years was approximately one million. There are no costs in addition to the standard licensing fees.
The company evaluated AlgoSec and a few other tools, ultimately zooming in on FireMon. It was after the initial evaluation that the PoC was done.
The latest release is version 9.4.2 but we only upgrade to the version behind the most recent release. This is so that we are more aware of what the issues with it are.
We have a module called Policy Planner that facilitates the automation of firewall policies across large multi-vendor enterprise environments, but we never use it in practice. We bought the module and we tested it. In fact, we had plans to integrate with ServiceNow for the automatic policy portion, but the organizational policy here is to make changes only within the Panorama. Essentially, we have the technology, but we can't make use of it.
This is definitely a product that I recommend, based primarily on how it compares with other similar tools.
I would rate this solution a nine out of ten.
We have actually played around quite a bit with the network flow piece of it (with the routers). That has helped us troubleshoot a few things with data flow and where it might be stopped or redirected to an incorrect location.
We use the following components of AlgoSec: AlgoSec Firewall Analyzer (AFA), FireFlow, and AppViz. We have a very limited cloud deployment at the moment.
We have a very complex network environment. It requires very specific compliance protocols to be put in place, including HIPAA compliance, PCI compliance, and HITRUST compliance. Therefore, we have very specific rules that we have to adhere to. We have 13 sites with very complex setups at each site to allow for redundancy and security, utilizing multiple vendors and technologies to achieve that.
We are currently developing and going to have a hybrid deployment for the cloud and on-prem. Right now, 98% of our stuff is on-prem, and that will change. We are probably going to be about 75% on-prem and 25% in the cloud, which is very complex. This will allow our external vendors and external clients in as well as all our internal resources.
They have compliance rules built right into the system. Right out-of-the-box, you can run a compliance check against your environment that tells you exactly what needs to be fixed and why. Their compliance check is phenomenal. They even have a base compliance check. So, you can set your own standards to make sure that all your equipment meets those base compliances that you have for internal standards.
AlgoSec has reduced the time it takes to implement firewall rules in our organization. While our usage of it has been fairly limited to what we have tested so far, it has probably reduced the time by about 30%.
It gives us 100% visibility into our network security policies. It has given us a couple of surprises. Over the years, the network that we are administrating has been subject to people who have an idea of how a network should be set up. That differs from technician to technician or engineer to engineer. So, we are finding little pockets of hidden little self-engineered configurations and the way things were done that nobody knew about. Once the engineer left, the knowledge of that setup disappeared. You don't know about those until something either goes wrong, or you get something like AlgoSec to discover it for you, and it says, "Hey, there is this going on over here."
It has helped us figure out how it was set up and why it was set up that way, then allowed us to engineer it so it fits a little better into our standards. We found a couple of secrets in our network that nobody would have known about. If we had an outage on those, nobody would have been able to figure them out without a tool like AlgoSec. This would have been a complete outage for our organization. Since we are healthcare insurance, that is a significant amount of money.
It has helped to simplify the job of our security engineers. We have a snapshot of where we are at with the correct data that we need to be able to fix the issues that we have. We keep finding little secret pockets of out-of-standard configurations that need to be addressed.
AlgoSec absolutely provides us with full visibility into the risk involved in firewall change requests. There is a risk analysis piece of it that allows us to go in and run that risk analysis against it, figuring out what rules we need to be able to change, then make our environment a little more secure. This is incredibly important for compliance and security of our clients. We deal a lot with patient health information that needs to be secure for physicians who are dealing with it and the patients themselves.
The most valuable for us so far has been the firewall rule analysis. Just to be able to get to a point where our infrastructure is secure and stable. The analysis runs everything that we actually need. When we run a report, we need to look at the report, then go back to the analysis because the analysis has all the information for us. We just have to match up the analysis to the report.
We have a security vendor who runs an analysis on the logs that we send them. We have multiple vendors who come in and do an annual security assessment. We have multiple vendors who come in and do an annual penetration test. We have vendors who deal with the end clients as well as vendors who deal with the servers for security, in addition to our firewalls, routers, and public interfaces. AlgoSec takes all of the information on our network, puts it into one single pane of glass where we can go and request what we need from the vendors. Plus, there are reports in AlgoSec that we can run and send out to our vendors so they have an eye into what we are looking at.
The reports are lacking information when they come out. They will not pull the URL or application information from Cisco FTDs. I know this works for Palo Alto Firewalls, which we currently do not have. If they could improve the integration with Cisco FTDs as a whole, that would be immensely helpful.
We are actually in the process of purchasing AlgoSec. We have gone through a proof of concept with them. Right off the bat, running through that proof of concept with them was absolutely fantastic. Usually, they have an offsite proof of concept server that you connect up to, then kind of take a look at their technology to see how everything works and if you like it. However, we have a different setup onsite for some of our firewall rules. We wanted to make sure that their application/appliance worked on our internal environment. They were more than willing to set up an onsite PoC for us so we could make sure everything did work.
The stability is fantastic. We haven't had an issue with stability at all.
Two people are needed for maintenance (someone for backup plus me). Maintenance on it is fairly limited. It is very automated in the way that it handles all our data and firewall needs.
The scalability is easy, just add more licenses if needed, then turn up another virtual machine. It is pretty straightforward.
There will probably be a dozen of us actually utilizing AlgoSec. This will mainly be the network and security team, then the security team themselves.
During deployment, the technical support fixed our issue within 30 minutes of the phone call.
We are in the process of doing microsegmentation right now. That is one of the reasons why we started looking into a utility like this because we needed to get that current snapshot of where we are at and where we need to go. AlgoSec is beyond phenomenal for helping to create and manage this type of initiative. With the automation piece and the fact that we can take a look at the traffic that is currently running through our firewalls and automate the rules being created for that. This will take a lot of manual work off of our shoulders that would have taken many man-hours to be able to implement.
We ran into some errors/issues, so it probably took us a week to fully deploy it. The process was straightforward except for the typos that we had in the programming. Without those typos, it would have been up within half a day.
We had an implementation strategy that we laid out beforehand and went forward with that.
James, the AlgoSec engineer who was working with me, spent about two weeks on and off with me trying to get the solution up and running, and he was successful at it. This was so we could utilize their proof of concept in our environment to make sure that it would fit our needs.
Because we went from having no unified tool to having AlgoSec, it has improved our security platform by probably 80% in just the short time that we have had and used it. It is invaluable. There is no question in my mind that it is a tool for anybody who has multiple sites, firewalls, and routers. It is something that everybody needs to look into getting because it is invaluable.
Even if we were to pay the first quote that we got, AlgoSec would be worth it. Just having the automation and that overall look into your security platform, you can't be without it.
We are working with our finance department right now to be able to purchase it. The AlgoSec team is doing everything that they can in their power to get the costs down to where our budget is. They have worked a lot on it. They have cut the cost in half for us so far by questioning, "This is in the quote. Is this something that is actually needed?" They have pulled some stuff out and cut our costs down by 50% for the product itself.
There were four of us involved in the evaluation of the product.
We compared this tool to two other different tools. Even with their higher-end solution, when we had the full budget for this, AlgoSec was less expensive than some of the other top tools. We looked at FireMon and Tufin. The reason why we said, "No," when we had budget to FireMon and Tufin is because they were not pulling in the application data or URL data.
AlgoSec actually pulls application data and URL data in. AlgoSec is a little easier to use than the other solutions. Cisco recommended AlgoSec to us.
Don't trust what you think you know about your network. There are surprises everywhere, and sometimes it takes a utility like this to find those.
Don't don't hesitate. Go get it. If somebody came and asked me for an analysis tool, AlgoSec would be at the top of my list.
The integration is fine.
Migration to the cloud is on our roadmap.
We have not set up any automation quite yet, but that is on the roadmap. That will make the tool even better.
I would rate this solution as a nine (out of 10).
We primarily use the solution for our management and optimization.
The solution's simplicity of use is its most valuable feature.
The solution needs more detailed reporting. In Skybox the reporting is good, but it could be improved.
The solution needs to add more automation and orchestration capabilities. Those features would make the solution much stronger.
I've been using the solution for about four years now.
We've found the product to be quite stable. We haven't come across any bugs or glitches. We also haven't experienced any crashes that would lead us to believe there was instability.
The scalability of the solution is very good. There's nothing stopping a company from expanding if they need to.
Reaching out to the solution's technical support wasn't in my remit. I'm the enterprise architect, so I don't get involved in tech support issues.
We did evaluate other solutions before choosing this one. In fact, I'd recommend other companies to also take a look at Tufin and AlgoSec. Evaluating each of these will help organizations pick the best solution for their needs.
We're just a customer. We're not a partner or reseller of the solution.
I'd rate the solution seven out of ten.
I'd recommend those considering the solution to also look at Tufin and AlgoSec. I'd advise anyone considering any of these three options to compare them together and request a detailed proof of concept.
In general, I'd recommend the product.