Today we launched our newest product, Athena PathFinder!  The phenomenal growth in adoption of our main product, Athena FirePAC, gave us excellent insight around the needs for additional solutions.  Last year, firewall engineers we worked with zeroed in on two primary types of requests:

1. Extending Athena’s range of analytics that go deep into individual devices.  With even more limited time and resources, firewall engineers are in need of easier ways to make the analytics more actionable and supportive of certain operational realities.

With the releases of Rule Tracker, Object Standardization, Configuration Debugger and major advancements to our Change Impact functionality, FirePAC meets the requirements for interactive intelligence that is especially useful to security operations groups.

2. Extending Athena’s policy awareness from a device-specific to a network-specific perspective.  Macro level issues involving service availability across multiple devices, reachability based on routing, and what devices to touch to implement a change request are all extremely well-suited for Athena’s offline analysis.

With the release of Athena PathFinder, we stuck to our product development philosophy of offering tools that are focused and easy to use, yet powerful enough to save man years of manual effort.  This is our solution for firewall engineers who are seeking a handy way to test network behavior for troubleshooting and simplifying rule changes, and we made sure they can get started immediately with a free 2-week evaluation offer.

Recently we have seen a problem in some organizations where a management console was being used to automatically generate firewall rules across multiple firewalls.  These consoles tend to generate lots of very simple, primitive rules that specify a single source, destination, and service and that do not use object groups.  Over time, the console will generate lots of these primitive rules, resulting in very large rulesets. This problem becomes compounded when the network administrators decide to switch to a different firewall management product.  Suddenly they are faced with a large and complex rulebase that is difficult to understand and manage.

The size of the rulebase in each firewall can be significantly reduced by a process, based on rule aggregation, that creates large address and service objects and new replacement rules that use them. This has the potential of providing order of magnitude reductions in the number of rules in the rulebase.

The process consists of initially creating objects on one (source, destination or service) dimension at a time, based on the number of rules that the object covers in that dimension. This step requires powerful analysis capabilities and  cannot be done manually or by using simple scripts. The initial step is followed by further iterations to create new replacement rules that contain objects in two dimensions, and then finally in all three dimensions. Athena FirePAC, unlike other firewall analysis products, provides features such as content-based rule search and filtering on source, destination, and service elements to quickly isolate the rules that can be aggregated.  FirePAC also has the capability to create scripts that generate the replacement rules at each iterative step to minimize errors.

When multiple firewall configurations are involved, it is also good practice to standardize the objects used across the firewalls for better management. Athena Security has special tools and processes for object standardization and automated generation of all the firewall configurations using the standardized objects.

Check out FirePAC’s features for rule and object cleanup.  You can download it for free and have it up and running in minutes.

Network and service objects are often used by firewall engineers in firewall policy implementation. For a network environment with a large number of firewalls, it is highly recommended that all common objects across the firewall inventory be standardized. Without standardization, the same objects can be created in different firewalls for commonly used services or IP addresses, or worse the same object name can be associated with different object definitions. Objects with the same name but different definitions (called Conflict Objects) can cause configuration errors. Objects with different names but the same definition (called Redundant Objects) unnecessarily increase the size of an object library, and can cause redundant rules in the configuration.

Object standardization involves the following steps applied across all the firewalls in the inventory:

1. Find all objects from all firewalls in the inventory
2. Identify conflicting and redundant objects based on object name and definition
3. Renaming an object
4. Replacing redundant objects with a single object
5. Replacing an object with  another object
6. Splitting an object into smaller objects
7. Resolving conflicts between objects
8. Updating all configurations with new object names and definitions
9. Validating changes in the configuration

If all firewalls are already managed by a single management console, e.g. Cisco CSM, object modifications in the management console can be reflected to all referring objects and rules across all managed firewalls. When many objects are being modified simultaneously, this can be very dangerous because there is no evaluation of the impact of change in firewall configurations on network security. Moreover, consolidation of redundant objects cannot be done through management consoles since management consoles do not perform searching and merging objects based on their IP addresses and port values.

One of our customers, a Fortune 500 company encountered many problems when they started their company-wide object standardization project. They were attempting to deploy Cisco CSM for managing a couple of hundred Cisco firewalls. However, CSM does not resolve conflict objects, but simply creates new objects with a suffix of 1, 2 etc. A huge manual effort could have been necessary to resolve and consolidate the object library that had more than 10k objects, had they blindly deployed CSM. Among the issues they encountered that would delay their project significantly were:

1. Cisco firewall CLI (prior ASA 8.3) does not support object rename or replacement. A new object has to be created. All referring rules and objects have to be manually found and replaced.
2. Cisco firewall CLI does not support object replacement in a rule. A new rule with the replacing object(s) has to be manually created and inserted to the proper position within the access list.
3. Cisco firewalls do not support splitting object. New object(s) has to be created. All referring rules or objects have to be manually found and replaced.
4. After the standardization process, no validation can be done except a simple text compare.
5. The manual standardization is very time consuming and error-prone. It took about one week to standardize one firewall with unguaranteed accuracy.

With the help of Athena FirePAC Object Standardization tool, the customer’s object standardization effort was reduced significantly for the following reasons:

1. The overall standardization workload was reduced very significantly.
2. FirePAC rule/object cleanup tool removed more than 30% redundant rules and unreferenced object.
3. A global object table was exported from FirePAC. Objects were grouped by firewall, object name, and object definition. All conflict objects were automatically identified and treated as separate objects.
4. A global object mapping table was defined and imported into FirePAC. All objects in the inventory were included in the mapping table.
5. Various object mapping types were handled by FirePAC, including rename, replace, modify and split.
6. Object mapping scripts were generated automatically by FirePAC with the consideration of rule sequence and object member hierarchy.
7. FirePAC rule/object compare and policy compare provided a solid validation to the new firewall configuration after the object standardization.

Overall, the object standardization took only half day per firewall with the guaranteed accuracy.  The Customer said “FirePAC has contributed greatly to the success of our object standardization project”.

The above screenshot shows the object mappings and mapping scripts (at the top of the screen) that are generated by FirePAC.

Check out more about FirePAC through these videos: Impact Analysis, Rule/Object Cleanup, and Object Standardization.