Firewalls are the unsung heroes of network protection, quietly sitting at the edge of the network, defending those behind the firewall from an onslaught of security threats. But despite their heroic feats, firewalls sometimes fail to protect systems from the most serious breaches, especially if not managed correctly.
Obviously, network administrators rely on those soldiers of security and defenders of the realm to keep bad things from happening to the network. When given the proper orders, firewalls defend and protect from all sorts of external threats. Unfortunately, issuing those orders can pose problems for network administrators, who may have to navigate multiple interfaces, learn multiple policy scripting techniques, and monitor each firewall independently.
Luckily, SolarWinds now offers network admins an aide-de-camp ready, willing, and able to unify firewall management under a single monitoring and command structure. Firewall Security Manager (FSM) brings a host of capabilities to the table and offers a concise methodology to manage and monitor firewalls from a multitude of vendors.
A Closer look at FSM
I put FSM through its paces to see how good of an ally the product can be in the ever-raging war of network protection. I installed the product in a heterogeneous network environment. This segment incorporated multiple firewalls from different vendors, each independently responsible for protecting a different network segment. This reflects a scenario faced by many administrators tasked with managing multi-site networks with WAN connections.
Installing and configuring the product is relatively straightforward. FSM uses a client server ideology, with the FSM server component (and database) residing on a Windows Server system. Admins access the FSM server and take full control of FSM via a client system running in a web browser such as Chrome, Firefox, or Internet Explorer, or through a dedicated client application on a Windows system. Multiple clients can be deployed, allowing more than one administrator to access the system concurrently.
After installation comes configuration, critical to properly using the product. Firewall configuration can be complex and must be done correctly to avoid overlooking a deployed firewall and leaving it unmanaged. FSM provides ample help with these complexities. The product can directly import existing firewall configurations from Cisco security appliances, Cisco routers, Juniper firewalls, Check Point products and many others. The importation wizard offers several avenues to gather the information. What’s more, the import wizard sets up the needed connections to manage and control deployed firewalls.
FSM includes extensive documentation and web-based support to ease most import and configuration scenarios. After importation, administrators can start using the product to manage security devices on the network. To ease admins' first steps, FSM's Firewall Inventory tab displays a treed representation of the firewalls so admins can quickly view and query the details of imported firewalls. The Firewall Inventory Tab also offers drill-down information and the ability to re-query firewalls and launch filtered views.
Firewall inventory management is just the start, however. FSM’s real power comes from what it can do with that inventory. For example, the product can automate security audits, a powerful capability needed by most enterprises. Automated auditing relies on auditing configuration settings and can use more than 120 customizable checks, which are based on NSA, NIST, SANS, and other standards. To build a policy for automated audits, admins just define report elements and schedule report generation. Reports can be built using a "standardized" methodology, which offers admin-selectable guidelines and choices, or based on a STIG (Security Technical Information Guide) report, which uses DISA (Defense Information Systems Agency) rules and elements.
Most enterprises will want to stick with the standard audit security reporting methodology unless required to comply with DISA STIG rules. Report definitions live in Security Check Catalogs, which admins can edit or modify as needed. A handy Security Check Catalog Editor simplifies the process of making changes and customizing reports.
Auditing reports and compliance checks are an important part of FSM, but unified management of firewalls obviously takes much more, including understanding what firewalls are actually doing across the enterprise. FSM includes some basic tools for this task, such as Packet Tracer, which can traverse Layer 3 traffic and expose exactly what is happening across a network. Packet Tracer also offers the ability to determine ACLs, traverse NAT, follow point-to-point routes, and identify packet failures.
One of FSM’s most impressive features is its ability to optimize firewalls. Admins can optimize settings by applying a Rule/Object Cleanup process to supported Cisco and Juniper firewall configurations. FSM then audits the selected firewalls and identifies processor-sapping definitions, such as redundant rules or shadowed rules, which force firewalls to over-process packets. Simply put, if a rule is defined to achieve a certain task, additional rules are no longer needed to re-perform that task. The cleanup process also examines logs for rule usage and can build a list of unnecessary (or unused) rules for removal. Finally, the cleanup function can give recommendations on the most optimal rule processing ordering, further improving performance.
Change management is also vital to proper firewall administration. FSM includes a Change Advisor web console, which tracks configuration changes to the managed security devices. Change Advisor also handles requests for changes, the process needed to execute changes, and the complete history of the change process. Those all help prove compliance, conduct security audits, and aid in forensics analysis.
Finally, FSM proves a valuable ally in the challenging process of troubleshooting firewalls. The product offers features specific to troubleshooting Cisco, Check Point, and NetScreen Firewalls and includes advanced capabilities such as behavior simulation (to test traffic flows and "what if" analysis) and full rule mapping, with dependency analysis of all associated ACLs, NATs, and Routes, CLI command reporting, and full drill-down into rule and object hierarchies.
FSM has some other features worth mentioning, including predictive firewall modeling and compliance reporting. But the product’s core strength lies with its ability to help normalize firewall control while providing change management, optimization, and extensive troubleshooting capabilities. FSM starts at $1295 and is available now from SolarWinds and the company's authorized partners.