In theory, the firewall is a magical security concentrator, a high-performance gateway between the outside world and the protected network. Ideally, it is an easy to control single point configuration that allows you to deploy multiple best security technologies. And it will never let you go to bed at night and toss and turn to see if there is a loophole in its configuration, which results in corporate data leaks. But the reality of network security management is not so: in fact, our firewall can not always remain "bulletproof" state.
Few security administrators are able to "run through" the entire lifecycle of the firewall, they may not be involved in configuring or setting up initial rules, or are not involved in policy management, approval, and logging, or they may be thoroughly re-examined before policy migration to subsequent hardware. 99% of firewall Administrators "inherit" these firewalls from others because they realize that they are inheriting a pile of "residue": there is almost no readable policy library, which may contain dozens of or even hundreds of potential vulnerabilities.
Solutions include enterprise-wide investigative work, business process reverse engineering, viewing detailed documentation, and regular tedious maintenance-a job that IT staff hates. Unless it is necessary, the administrator will not deal with these cumbersome procedures, most people prefer to focus on subnets and spanning trees. Firewalls are very annoying.
Top of the attackers and disruptive policies
If you've never managed a firewall, you might think this job is similar to managing ACLs on any other network device. There are rules to identify traffic, and there are policies to act on the traffic that violates those rules. Firewalls should be just standard network configuration management, not art or magic. If enterprise IT policies block traffic and users don't like it, let them read the enterprise IT policy, and the user will gradually adhere to the policy.
But in fact, your external firewall is under threat from an unusual security request in addition to an external threat from an attacker who is spying on an unknown vulnerability in your network, possibly even a government-authorized attacker. Many of these requests come from executives who want to expand their business. Others come from senior managers who can change their policies, but have limited knowledge of security. They will find your manager, ask to handle their request, and at last you'll be angry and you'll have to apply for a special deal.
Fortunately, the problem is widespread and everyone is aware of the seriousness of these problems. These issues allow vendors to see opportunities for security management. Firewall security management products are like security "ninjas" in the enterprise, providing normal analysis, configuration cleanup, policy compliance reporting, and even best practices recommendations. Some firewalls even support traffic simulations, allowing you to test for possible scenarios before deploying a firewall. And almost all firewalls have the necessary policy comment function.
Firewalls can store a simple summary of the original business, have a policy validity, and provide policy contact information, which prevents today's temporary exception from becoming a permanent vulnerability tomorrow. It also allows the team to collaborate. Network security management can not only transfer the firewall to the next, you can also ensure that your firewall can "perform its duties."