Q. Enterprise firewall Management Tool - Am I dreaming?

[Alan Morewood <morewood () on bell ca>]

Firewall vendors have asked me, when I have reviewed their firewalls, what it
is I would add or change to their product.  My response is that I have not seen
a firewall with an enterprise management system.


This type of management system would give the project contacts the ability to
fill in most of their access requirements in a very short notice.  The data
would be entered into the firewall management system in a format which would
allow a firewall manager to merely approve or deny a request.  Rules would
be removed automatically when they expire.  Contact information would stay
up to date, within a year or whatever period is defined as the maximum expiry
period for a project/contract.  The auditors would have something to audit
against which would have all the necessary information.  Most importantly,
it moves some of the management costs to the individual projects reducing the
costs allocated to the firewall group.  Further, it would facilitate the work
of the firewall group and would ease tracking of project requests; when a
project contact claims requests take too long to process the firewall group
could easily identify when the request for access arrived.  Sometime in the
future it may even be feasible to have digital signatures used to ensure that
the project contact is really the project contact and that the firewall
approval is done by a firewall manager.

This type of database with nice (web) forms and queries would take a while to
develop.  Perhaps a company like Jetform already has a tool to do this? Or
maybe one of the firewall vendors or third party vendors has something like
this for specific firewall products?

 There are a few key parts to this:
  .The users fill in the data, it is only approved by the firewall group
   (client software should already be available if possible)
  .rules get removed automatically when they expire
  .users get warned that their access is about to expire

Anybody have any ideas as to any products which can do all this? I would think
that a firewall vendor would have a significant advantage on the market if they
had a product which could do this.  Further, a vendor neutral version of this
could become a big player in the market .

In a large company, routers with ACLs managed using such a tool would probably
be more secure than the most technically advanced firewalls managed without
such a tool.


Al


Here is the way that I see an enterprise firewall management system:

 1. a project leader goes to a web page and fills in some details
    which are automatically entered into a database:
     . project name
     . project purpose
     . project sensitivities
     . project contacts (business, technical, etc..) (phone & email address)
     . project start date
     . project end date
     . etc...

    My idea of a project might be a single administrator who has hired an
    external contractor to develop an application, or it could be an enterprise
    wide service which is contracted to a specific department on a private
    portion of an enterprise WAN.

    The project contact(s) will most likely be employees.

 2. the project leader then fills in the rules that are necessary for
    her project.

    ie. access 
        from: XYZ.company 
           (maybe list from IP network,   if known)
        via: (selected gateway if known)
        to: site 10.0.1.126/32 service http

        Both the site and the service field would need to be flexible
        to allow many sites/services, and to allow specific port numbers.

        Perhaps some form of batch uploads are needed, although this could
        be handled using a different front end if necessary.

 3. the firewall department then reviews the access requirements to see if they
    meet the corporate standards.  If all is acceptable, then the rules are
    approved.  Timestamp and firewall manager identified.

 4. the project leader then identifies who from the remote site is authorized
    to access her project

    ie.  access from "Joe Blow", if firewall does user authentication
    or   access from "10.2.0.1", if firewall is based on IP address

    if "Joe Blow" is external to the company, then an account would
    need to be generated which identifies Joe, what company he works
    for, the expiry date of his contract, etc.
    
 5. the firewall department then adds user Joe to the list of authorized
    users, or completes the access requirement list source IP address
    if authentication at the firewall is not being done.

 6. Every night, or continuously, an extract is done from the firewall
    database.  The query would begin by looking for projects, user and
    rule expire dates and see if any expire within the next 30 days;
    if so email is sent to the project contact to ensure that she is
    aware of a rule set which is about to expire.

    Then, a query is done to find all approved rules for 
    firewall A which are "started" but not "expired" and these rules
    are extracted from the database.  These rules would then need
    to be formatted into something the firewall understood.  Perhaps
    ACLs for a router, perhaps commands for a firewall interface;
    depending on the platform only the deltas might be sent.

    Similar queries would be run for all other firewalls.
-end