1 / 11

The Joy of Firewall Policy Management Reuven Harrison Tufin Technologies

The Joy of Firewall Policy Management Reuven Harrison Tufin Technologies. whoami. Reuven Harrison CTO and Co-Founder of Tufin Technologies My Check Point service: 4 years in R&D. reuvenharrison. tufin.com/blog. tufintech. Context: We Make Changes. Firewall Operations Management

liberty-spencer
Download Presentation

The Joy of Firewall Policy Management Reuven Harrison Tufin Technologies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Joy of Firewall Policy ManagementReuven HarrisonTufin Technologies

  2. whoami Reuven Harrison CTO and Co-Founder of Tufin Technologies My Check Point service: 4 years in R&D reuvenharrison tufin.com/blog tufintech

  3. Context: We Make Changes Firewall Operations Management Changes/day? Why we change the policy Usually: application connectivity Rarely: security related Risk: Collateral Damage Unintentionally impact business Open up security holes

  4. Problem: Things Change, Things Break Simple syntax errors: Opened 22 (ssh) instead of 21 (ftp). Oops! Rule Shadowing Add a connection to a shadowed rule Add a connection to a partially shadowed rule Oops, it doesn’t work – redo it Indirect changes (network group) Oops, it appears in multiple rules Argh, it appears in multiple policies OMG: P-1 global rule/object – multiple customers

  5. Many Ways to Change Access Add a new rule Add a host to a rule Add a host to a group Delete a rule Disable/Enable a rule Remove a host from a rule Remove a host from a group Add a rule to global policy (P-1) Add a host to a global rule (P-1) Add a host to a global group (P-1) Delete a global rule Delete a host from a global rule (P-1) Delete a host from a global group (P-1) Reorder rules Edit a network range Modify a Group with Exclusion Change a rule target (Install On) Policy Save As Change a time object Change user access ….

  6. The Impact Fail to fulfill the business need Break a business-critical service Ineffective business execution

  7. The Three Steps for Pain-Free Changes The truth, the whole truth Allow full access, as requested Nothing but the truth Don’t allow extra access Keep existing connections So help me god Don’t violate the compliance policy * patent pending

  8. The Holy Grail Simulate traffic through the new policy It is not enough to test a rule out of the policy context It’s impossible! Scanners – too much time to scan 2^32 IPs Not proactive But it would be perfect if we could…

  9. The Right Tools for the Job Fulfill the entire original request Automatic change verification Don’t open/close anything else closed/opened “regression testing focuses on retesting old/existing functions and making sure it didn’t get affected by the newly introduced code/functions” Don’t violate the compliance policy Enforce compliance policies

  10. When to Test the Change After I make the change, but before I implement it: After Save Policy Before Install Policy Survey: how many people have service windows? Network forensics (postmortem)

  11. Live Demo SecureChange Automatic Verification Access Regression Test SecureTrack Compliance Policies (if time allows)

More Related