Comparison and testing of five firewall operation management software

At present, there are tools on the market that can make the firewall more efficient and bring more benefits, Skybox and RedSeal are the leaders of these product manufacturers.

Anyone who has run multiple firewalls in a complex enterprise environment knows how to capture incorrect configurations, avoid conflicts between firewall rules, and identify vulnerabilities, and how difficult it is to meet audit and rule compliance.

During this test, we focused on five Firewall operation management products: AlgoSec's Firewall Analyzer and RedSeal's Network Advisor) and Vulnerability Advisor, FireMon from Secure Passage, View Assure and View Secure from Skybox, and SecureTrack from Tufin.

We found that the core features of these products are basically similar: the ability to retrieve configuration files, store and analyze data of firewalls (and other network devices. If security policies are damaged, they can view historical changes, analyze existing firewall rules, execute rule-based queries, re-change the rule order, and issue alerts. They can also automatically audit rule compliance and generate relevant reports.

In addition, they can use the real-time snapshot version of the network for modeling and Network Attack and Defense testing. Algosec, RedSeal, and Skybox can also provide charts and Topology views of their networks.

In general, RedSeal and Skybox were the most impressive in this test, because they not only have all the basic functions, but also support vulnerability scanning products from multiple vendors. These vulnerability scanning products can rate risks in the network and analyze the vulnerabilities across the network. In addition to these two products, other products also left us a deep impression.

Algosec's firewall analyzer has an intuitive interface and predefined standard audit and analysis reports. This software is easy to install and provides a simple data collection wizard (wizard ).

RedSeal's network consultants and vulnerability consultants can help users understand how their network configurations defend against threats from the Internet. The software can generate a vulnerability report to show the shortcomings of the network. It also contains some pre-configured rule compliance management reports in pdf and XML formats.

The FireMon of Secure Passage can analyze network device configurations in real time and maintain the latest status through automatic analysis of Rule compliance. It also provides a dedicated wizard that allows you to input device information to a large network.

View Assure and View Secure of Skybox can automatically collect configuration file information by hour, day, week, month or year. It has a built-in ticketing system that supports access change tickets and policy violation tickets ).

The SecureTrack of Tufin has a feature of What-If analysis to test the changes they may cause before policy implementation. Predefined analysis/report options are based on industry best practices.

The following describes the five tested products in detail:

AlgoSec firewall Analyzer

We tested the AlgoSec firewall analyzer package based on Linux, which has the following options: analysis engine, Collection Engine, Web server, and local and remote management GUI, and user, policy storage, and system log database.

The analyzer engine queries collected data according to predefined or custom rules, and then generates a detailed report. At the same time, the Web server sends the alarm information to the firewall administrator by email.

The installation package supports 32-bit Red Hat Enterprise Linux 4 and 5, as well as Centos 4 and 5. During the test, we installed the program on the Dell 600SC server as a VMware application device. Once VMware Player is loaded to the firewall analyzer, it will start and log on as the super Administrator (root), and then open the firewall analyzer browsing program. When the browser path is set to https: // hostaddress/, the Algosec management interface appears. Click login to start the management application client.

The firewall analyzer has three data collection methods: the wizard on the Access Management tab; the semi-automatic script provided by AlgoSec; or the manual collection, but this method is time-consuming and can easily cause errors.

Once files are retrieved and stored, the firewall analyzer runs a risk analysis based on PCI rule compliance, NIST, SANS Top 20, and vendor best practices. During the test, we found that users can also create custom analysis reports. Select the Firewall Reports option to display charts that summarize network changes, findings, policy optimization, rule rescheduling, and Firewall information and network connectivity, and a firewall connection diagram. Select the risk option to display the risk code-related findings and detailed information such as suggestions and charts for handling Risks.

In the test, by viewing the Algosec history change report, we obtained the details of the firewall rule change. At the bottom of the History Change Record panel, we can see interactive traffic retrieval, report comparison, and the ability to generate a set of other firewall reports.

The Optimization Policy feature provides the rule Cleanup and Reordering functions. The rule clearing report lists all rules to be corrected and the number of instances. Some of the rules marked in the cleanup report are labeled as unused, covered, redundant, and disabled) and non-compliant naming rules. Object Cleanup also has a similar list. The "How to Improve rules" and "how much space can be improved by rules" are provided in the "Rules" re-sorting report. You can also access a detailed report that tells you how to change the firewall.

The panel layout of the AlgoSec firewall analyzer client is reasonable and hierarchical, so you can easily find various features and guides. Optimize Policy is a useful wizard for you to find and clean specific rules. Currently, some predefined rules are audited (such as PCI-DSS, ISO/IEC 27001, and Sarbanes-Oxley. In addition, the rule compliance report structure is well organized and supports three formats: PDF, HTML, and XML. Although AlgoSec does not integrate a vulnerability scanner, it performs well in Rule compliance audit and rule optimization.
RedSeal network consultant and vulnerability Consultant

With RedSeal network advisor 4.1 and vulnerability advisor 4.1, You can automatically analyze, identify, quantify, and reduce risks and vulnerabilities in complex networks. By using plug-ins, network consultants can import configuration files from each supported device. During testing, we like this method very much, because after risk and vulnerability analysis is introduced, we can create a unified network topology with best practices for analyzing and fixing solutions.

We installed Red Seal software on a Dell server running Windows XP. Once the server is installed and started, the client is installed immediately. After logging on using the client application, we can access a fully functional GUI console server.

Both the network consultant and vulnerability consultant must import the configuration files of routers, switches, and firewalls to the database. The analysis engine processes host name, IP address, subnet mask, and device interface information. The analysis results are displayed in graphs, reports, and charts. The current network status and configuration are described in detail. Its plug-ins can be applied to products of Cisco, Check Point, Juniper, and other companies.

After the device configuration files are imported to the RedSeal advisor, these files will be checked based on the RedSeal best practices database. You can double-click a selected row to find the violation policy in depth. You can use the View Changes application to analyze and report any Changes to the host and device.

We analyze the usage of firewall rules by using the best practice inspection feature customized by RedSeal, and reorder them. Using a regular expression tool, we can search the configuration file and use the plug-in associated with the device. Since the configuration file can be edited, we analyzed the assumption (what-if) to determine whether the rule changes will adversely affect the network.

RedSeal provides pre-configured rule compliance management analysis reports. You can also add custom reports and schedule them to run at specific times. We analyze and report on the network configuration (compared with best practices) and the assets that have been exposed to the Internet.

We are optimistic about the display of the network topology on the RedSeal vulnerability analysis interface. It provides a graphical method for analyzing network Vulnerabilities. The arrows in the diagram point the threat source to the network assets at risk. This structure is based on the general Vulnerability Evaluation System (CVSS) and provides detailed information required to quantify risks. This is an important feature that saves time and protects valuable assets. In the pre-defined PCI-DSS analysis of the target CIDR Block, the topology features provide a similar solution, you only need to click to select a network segment and run the analysis report.

RedSeal's products integrate vulnerability scanners from multiple well-known companies (such as Qualys, nCircle, and McAfee) to provide vulnerability and risk measurement systems. If you want to quantify risks and vulnerabilities and allocate resources based on asset values, we recommend this product to you.
Secure Passage FireMon

Secure Passage's FireMon program manages the firewall by reporting security policy changes, checking unused rules, and reporting traffic through rules. The program automatically analyzes rule compliance policies (such as the Payment Card Industry and the US National Security Agency) to ensure the security of Rule compliance.

The FireMon architecture includes an application server, a data collector, and a graphical user interface (GUI ). The application server is responsible for tracking the collected data, analyzing transactions and device configurations in real time, and generating a predetermined report. The data collector is an application that FireMon runs on network devices or PCs. It is mainly used to monitor and collect data from firewalls, switches, routers, and other network security devices. We quickly installed the FireMon management client on Windows Vista, and then logged on to the FireMon server with the username, password, IP address, and port number to use its management console.

FireMon provides a wizard to import network devices from companies such as Check Point, Cisco, F5, Juniper, Nokia, and McAfee/Secure Computing. Once the portal of each device is created in the Wizard, all related firewalls, management servers, and log servers will be automatically discovered and added to FireMon in sequence.
Rule Policy Management for firewalls, routers, and switches

The FireMon program provides several tools to analyze firewall, router, and switch rules/policies. During the test, we used the Firewall Traffic Flow Analysis tool to generate a report to reflect the Firewall "ANY" rules configured in large networks. We can reduce or remove the arbitrary "ANY" Rules and