Today we announced the release of a cool new Athena FirePAC solution focused on debugging configurations for enterprise firewalls.  The Firewall Configuration Debugger allows you to troubleshoot service availability problems in an offline mode, using FirePAC’s traffic flow query capabilities.  The advantage of offline analysis is that it does not require you to enable logging or to inject test packets into your network to understand your firewall’s behavior.  When a service disruption occurs, and a quick answer is required to rule out the firewall as the cause or to isolate an actual problem in the rules, the Debugger is a fast, thorough and convenient way to get the job done.

The Debugger allows you to specify individual packets or entire subnets as source and destination addresses and the services to test.  It performs a reachability analysis using the routing rules and address translations to automatically determine the ingress or egress access lists or zone to zone policies, and evaluates how they act on the user’s input.  This traffic flow analysis makes it easy to troubleshoot rules as well as the packets that they allow or deny, so answers can be found in minutes, rather than hours when using ad-hoc testing.  When trying to identify what changes in the configuration may be responsible for the service availability problem, the Debugger can compare two versions and link each rule and object change to its impact on added or deleted traffic flows.  With the introduction of the Debugger, Athena applies its advanced analytics, that traditionally served the audit market and project-based requirements, and provides a tool that is highly useful to operations groups.

For more detailed information, watch my video about the Debugger.  Or request an evaluation from our excellent sales team.

Today we launched a major upgrade of Athena FirePAC.  This release has a brand-new look, which is consistent with our free Firewall Browser tool.  If you liked the Browser, you’ll really like FirePAC v4.0.  We’ve also added a bunch of great new features as well.  Upgrading to the new version is extremely painless and simple and will bring you many benefits that are sure to make your job easier!

Here just a few of the advancements you’ll find in the new release:

Usability

The FirePAC 4.0 UI has been redesigned to match the operational need for more dynamic and interactive analysis. You’ll really love what we’ve done to make the rulebases really explorable, plus we’ve added many new search and query options.

Impact Analysis

Now you can compare side by side the additions, deletions, and modifications to rules and objects based on the semantic dependencies.

Automated Scripts

All cleanup reports come with commented and well structured scripts so you can complete the entire process with more automated help.

Device support

We’ve added support for routers, so you can include the ACLs from these devices into your overall risk and service availability analysis.

Licensable solution-based components

These options allow you to mix and match the solutions you need for different groups of firewalls. When you are ready for your next project, you can buy exactly what you need and have the flexibility to add more on at anytime.

We’re really excited about this new release and have added a bunch of new videos to the Athena web site so you can review the highlights at your own convenience.  Check out these videos: Impact Analysis, Rule/Object Cleanup, and Object Rationalization.

To upgrade from v3.7.1 to v4.0, follow these easy steps:

1. Launch FirePAC
2. When you see the dialog informing you that a new version is available, click on the Update button.
3. Download the new release.
4. Send an email to support@athenasecurity.net letting us know you’re ready and we’ll mail over the new license.
5. Launch the installer.
6. Launch FirePAC and apply the new license.

Your existing data will be retained, so you need not worry about re-importing your firewalls.

In an earlier post, we discussed the need for cleaning up and simplifying firewall rulesets.  There are two techniques for determining whether a rule can be removed from a rule base: one based on rule redundancy and the other on rule usage.

There can be an overlap between the two techniques in the sense that a rule can be both redundant and also have zero usage. Despite that, it is often the case that the majority of rules will fall into one category or the other. To get the maximum benefit of keeping your rulebase efficient and simple, it makes sense to maximize rule removal by trying both approaches.  Automated tools, such as Athena FirePAC, can apply both approaches. The question then is how to proceed and in what order.  The straightforward technique would be to use a two-pass approach: remove, say, zero usage rules using log data in the first pass, create the new configuration with rules removed, and then in the second pass run the modified configuration through the tool again to identify redundant rules. This two-step approach is untenable in most situations, since we need access to the production device (or even a laboratory device) twice. If there is a formal validation step as part of the rule cleanup process, the validation step will also have to be repeated twice again. If there are a large number of firewalls to be cleaned up, this two-step process can add extra months to the schedule and thousands of dollars in cost.

Clearly the answer is a one-step process that incorporates both techniques. In one such process, the firewall configuration is run through the rule cleanup tool at most twice — once to identify redundant rules, and the other to identify zero usage rules. It does not matter in which order the rules are identified, because both sets of rules are then combined in the following manner to determine the rules that will actually be removed: All rules with zero usage that are identified are marked for removal. The remaining rules that can potentially be removed are all redundant rules. Of these, identify rules that are redundant and have their source rules (i.e. the rules that make it redundant) above it in the rulebase. All such redundant rules can be marked for removal. The remaining redundant rules have their source rules below them in the rule base. Of these, mark a rule for removal only if none of its source rules have zero usage, and any rule options associated with the redundant rule can be ignored. You may wish to manually review the rules with zero usage prior to removal to ensure that there is no business case to retain them.

To ensure that the rules are removed correctly, it is advisable to use a script that will remove the rules one at a time, in an automated fashion.

Athena FirePAC automates the cleanup process from start to finish, by first identifying all rules based on redundancy and usage that can be removed without impacting the traffic allowed through the firewall.  It then generates the scripts so that rule removal is straightforward and consistent.  To learn more, download a free trial of FirePAC.

Yesterday I participated in a webinar discussing the must-do’s of network security and configuration management with SolarWinds‘ Head Geek Josh Stephens.  We discussed some best practices for managing configurations and some guidelines for firewall configs themselves.  The meat of the webinar was a demonstration of Orion NCM and the integration with Athena FirePAC.  The combined products make a dynamite solution for firewall configuration management.  You can watch the webinar online (registration required) and the slides are available here.  Check it out!

We recently released Athena FirePAC v3.7, which adds several cool features to help you get a handle on out-of-control firewall configurations.  The new features make it much easier to identify object definitions that are not needed and to deploy consistent and systematic object definitions across an inventory of firewalls.

Object usage analysis helps you determine how objects are being used on a per-rule basis and also globally for each object.  For firewalls like Juniper Netscreen and Check Point, which allow multiple values in the source, destination, and service fields, you can now determine how much each object contributes to the overall usage of a rule.  For example, suppose you have the following rule in a Netscreen firewall:

ID	Source	Destination	Service	Action
17	client1 client2 client3	abc_dmz_proxies abc_dmz_remotes xyz_dmz_proxies xyz_dmz_remotes	HTTP HTTPS HTTP-ALT 8000

You’d like to know which of the DMZ proxy and remote destination objects specified by this rule are actually being hit.  Looking at the hit counts for the rule will only tell you that the rule is being used, but it will not tell you which of the objects in the rule are actually being used.  The new object usage analysis in Athena FirePAC will tell you exactly the percentage of total hits to the rule is contributed by each object.  This gives you valuable information about the traffic passing through your firewall and can help you identify which objects are unnecessary and can be removed from the rule.

You can also find out the aggregate usage of each network or service object in the configuration.  This makes it very easy to identify the objects that are not being used at all and can be removed.

Check it out!  You can download a free evaluation of Athena FirePAC from our web site.

We have just released a new free tool for network and firewall engineers called Firewall Browser.  It’s designed to help you search firewall configurations and find security rules and object definitions quickly and easily.  What’s really cool about this tool is that you can search for rules by source, destination, and service, entering values as IP addresses, network object names, port number, or service object names.  Similarly, you can search for network or service object definitions by name, by IP address, or by port number.  It works with Cisco, Check Point, and Netscreen firewall configurations and is available for download from the Athena Security web site with no license restrictions for end-users.  Check it out!  Let me know how you like it.

It’s been a long summer and the development team has been hard at work adding a bunch of new features to Athena FirePAC. We finally released v3.1 at the beginning of September. I thought it’d be worthwhile to point out some of the really cool features available in the new release.

First, as was announced here, Athena Security is now a technology partner with SolarWinds and we have integrated FirePAC with Orion Network Configuration Manager. You can connect to Orion NCM from FirePAC, select the firewall you’re interested in from the device repository, and import their configurations directly into FirePAC. The import is fast, easy, and painless. No worries about logging into the firewall or which commands you need to issue to get the right data. And you can import multiple firewalls in one operation.

Related to the Orion NCM integration is the configuration update feature. Now, after you’ve imported a firewall into FirePAC, you can update the configuration automatically from the same location it was originally imported from. If you imported from the filesystem, the update will be taken from the same files. If you imported from Orion, the update will be taken from there. No need to specify the same source for the configuration files over and over again. Just select the firewall in the FirePAC Firewall Inventory and click the Update operation.

Another big new feature is our enhanced Query capability. There are now three types of queries that allow you to explore the firewall behavior and configurations. With the Data Flow query, you can ask questions like “which critical hosts are exposed to these risky services?” or “what sources are allowed to connect to this server?” or “why is this service not being allowed through the firewall”? It allows you to use Athena’s powerful data flow analysis of firewall behavior to identify specific risks to your network or to understand exactly what the firewall is doing.

With the Rule Search query, you can search for rules that match specific patterns of source, destination, and service parameters across your entire inventory of firewalls. You can even select rules based on matching network or service groups. With the Object Search query, you can find where specific network or service objects are defined and where those objects are used in other object groups. Taken together, Rule Search and Object Search give you a powerful capability to understand the structure of your rulesets and object definitions and their inter-relationships.

Wrapping up the Query facility is the new Saved Queries feature. Now you need only enter the parameters for a given query once. Then you can save it and issue the saved query again later. This can be useful when you have a long list of critical hosts that you need to check exposures to on a regular basis.

All these new features really extend FirePAC as an operational tool for managing firewalls.  You can download an evaluation free for 30 days from our web site.  Check it out!