Deploying a firewall is a must-have in the current threat environment. It protects a client’s network from malicious traffic and prevents users from transmitting sensitive information to the outside. But deploying a firewall isn’t enough to keep a client secure. A firewall management solution helps you continually ensure a network is protected even when changes occur, or new threats emerge.
Yitzy Tannenbaum, product marketing manager for AlgoSec, says to look for these key features to help you select a firewall management solution that will provide your clients — and your managed service provider (MSP) business — with the greatest value:
Full Visibility into the Security Network
MSPs will benefit from a solution with a security network topology map feature. Tannenbaum says this feature provides a single, holistic view of all network elements and shows how those elements connect and interact with each other. He adds that a security network topology map feature “also gives visibility into the risky policies that expose the network to attacks and various recommendations to optimize and clean up the security policy across all network devices.”
Continuous Compliance
The solution should support compliance with industry regulatory standards and the organization’s internal best practices and guides. “Traditionally, preparing for an audit was a point-in-time, long, tedious process that took weeks or even months,” Tannenbaum explains. “In today’s fast-paced world, organizations require ongoing compliance. “
He says a firewall management tool will provide you with a detailed report on the state of compliance at any point in time. “This will reduce preparation for audits from weeks or months to seconds,” he points out. “Additionally, a firewall management tool will ensure that every change implemented into the network doesn’t break compliance. The right solution should also feature a range of predefined audit and compliance reports to remove the grunt work of audit preparation.”
Automated Change Management
Tannenbaum adds that a state-of-the-art firewall management solution will also automate change management processes. “Network configuration and change processes need to be fully automated to eliminate guesswork and error-prone manual input,” he says.
A recent CSA and AlgoSec report found that the top cause of outages is misconfigurations due to human error. “Modern-day networks are made up of on-premises, SDN and cloud estates, each with unique security controls — from conventional firewalls to next-generation firewalls (NGFWs), virtual firewalls and cloud controls. To keep up with the speed of business, changes to network policies happen very often, to provision new applications, make changes to existing applications or decommission old applications,” says Tannenbaum. “They involve many stakeholders and making changes to dozens or even hundreds of security controls across the enterprise network. The only way to ensure that security does not inhibit business agility is to use automation.”
Tannenbaum explains that the change process should follow these four stages to eliminate the risk of errors and misconfigurations. In cases where the proposed change doesn’t pose any risk to the network, a firewall management solution will go through this process completely automatically with no need for human intervention:
- Planning the change: You need to identify which security devices are in the path of the proposed change and the security policies associated with them. This demands full visibility across the entire network estate.
- Understanding the risk: Will the change cause undue security, compliance or business risk to the network environment or application? If so, the change should be re-planned.
- Making the change: Consider how best to insert the new security rule into the device’s current policy. For example, if a new rule was added to the device’s current policy or an existing one was modified, then the changes should be automatically pushed to the relevant devices and all changes documented.
- Validating the change: This involves checking that the change was implemented exactly as requested. The applications or services should work with no overly permissive or risky rules remaining.
Provisioning, Maintaining and Decommissioning
It will also be beneficial to MSPs to find a firewall management solution that makes it easy to securely provision, maintain and decommission connectivity for business applications by automatically discovering and mapping application connectivity requirements to the underlying network infrastructure.
How to Deliver on Client Expectations in a Constantly Changing World
Tannenbaum says automating firewall management can substantially improve the services you provide and your operational efficiency. One Algosec client clearly illustrated the potential impact. A business with 150 firewalls had used manual processes for changes, and it was able to handle only about 20 changes per week. Automation enabled the same staff to increase the number of change requests it could handle each week by 150 percent.
“Managed services providers are expected to be like Superman, delivering lightning-speed services together with top notch-security,” he says. “Considering the complexity of today’s heterogeneous networks and the overall lack of security personnel, there’s no way to be Superman, but why not be Batman? Equip yourself with the right tools to win. With a firewall management tool, you can automate the network security policy management process and manage all your customers’ security through a single pane of glass.” 
