A New Approach to Detecting Dangerous Firewall Misconfigurations
The ruleset for a newly deployed security device will likely be quite simple and straightforward, but as noted in the NIST Guidelines on Firewalls and Firewall Policy (NIST-800-41), “Users should be aware that firewall rulesets tend to become increasingly complicated with age.” That document later states, “Policies are implemented every day but these policies are rarely checked and verified. For nearly all companies or agencies, firewall and security policies should be audited and verified at least quarterly.”
InfoSecter helps IT staff with both of these problems by analyzing the proposed security device configuration and presenting information about how the security device will perform in a manner that makes the most sense to the end user. According to Alan M. Carroll, the CEO and founder of Network Geographics, “InfoSecter does for firewall configurations what Quicken does for a drawer of receipts. In both cases, the important information is present, but the tool makes it easier for a human find.”
InfoSecter performs operations such as policy constraint analysis and operational comparison to last known good configurations to catch misconfigurations before they are deployed to the network. InfoSecter parses configurations of security devices from Cisco (ASA, PIX, FWSM, and IOS), Juniper (Netscreen), and Checkpoint, and it models actions including basic firewall traffic filtering, AAA, IPSec, application level inspection, HTTP URL filtering, and address translation.
The team at Network Geographics has decades of experience in network security and policy-based design and analysis. For more information visit http://network-geographics.com or call 888.276.2027.