gérer vos pare-feux dans une architecture segmentée ... · algosec inc. 1 gérer vos pare-feux...
TRANSCRIPT
AlgoSec Inc. 1
Gérer vos pare-feux dans une architecture segmentée,
conserver un niveau de conformité et remédier aux risques liés aux
évolutions des politiques de sécurité
Avishai Wool, Ph.D.AlgoSec CTO & Co-Founder
AlgoSec Inc. 2
Managing your firewalls in a segmented architecture, maintaining compliance, and remediating risks related to evolving security policies
(Translation based on BabelFish…)
AlgoSec Inc. 3
� Background� AlgoSec Firewall Analyzer
• Firewall operations efficiency• Enhance security and compliance through automation• Improve firewall performance, stretch device lifespan
� AlgoSec FireFlow• Change Workflow Automation
� Live demo
Agenda
AlgoSec Inc. 4
� Firewall configurations become overgrown over the years:• Constant rate of rule changes (dozens of changes per week!)• Multiple administrators, staff turnover, outsourcing
� Examples we’ve seen:• Check Point Firewall with 200-1,500 rules
and 1,000-20,000 objects• PIX configuration with 400-50,000 lines
� Challenges:• Industry statistics: 20-30% of firewall rule
changes are not needed!• Extend the lifespan of devices in use
Background: Firewalls become Overgrown
AlgoSec Inc. 5
� Performance and management problems• Firewall slows down – may become a bottleneck
• Hardware size limitations – may need bigger hardware• Slow and cumbersome management interface
• Hard to manage and time consuming
� Security risks:
Complexity Leads to Problems
A survey of the firewall policies of 30 US-based
large corporations suggest that all complex policies are
exposed to serious risk.
Rule-base complexity = Rules + Objects + (Interfaces) **2
AlgoSec Inc. 6
by Intelligent Automation of
Requirements for Security Management
Cost Saving Governance
AlgoSec Inc. 7
About AlgoSec
Confidential
TelecomTelecom EnergyEnergy
TransportationTransportationCommercialCommercial GovernmentGovernment
AutomotivesAutomotives
HiHi--TechTech
BigBig--4 Auditing Firms4 Auditing Firms
FinancialFinancial
Our prosperity is driven by 100% customer satisfaction
� The established leader of Firewall, Router & VPN Po licy Lifecycle Management
� Over 300 customers; 5 Patents pending
AlgoSec Inc. 8
AlgoSec Products
Confidential
Unique firewall & topology aware workflow allows:Auto plan • Auto validate • Governance •Operational efficiency • Auto-document activities •Integrates with existing systems
Unique firewall & topology aware workflow allows:Auto plan • Auto validate • Governance •Operational efficiency • Auto-document activities •Integrates with existing systems
FireFlowIntelligent Workflow for Network Security
FireFlowIntelligent Workflow for Network Security
Unique firewall & topology simulation allows: Operational efficiency • Cleanup • Performance optimization • Audit-ready compliance reports •Risk analysis & metrics • Change monitoring
Unique firewall & topology simulation allows: Operational efficiency • Cleanup • Performance optimization • Audit-ready compliance reports •Risk analysis & metrics • Change monitoring
AlgoSec Firewall Analyzer (AFA)Intelligent Analysis for Network Security
AlgoSec Firewall Analyzer (AFA)Intelligent Analysis for Network Security
Challenge: Manual firewall policy analysis is error-prone ,expensive and time consuming
Challenge: Manual firewall policy analysis is error-prone ,expensive and time consuming
Challenge: 20-30% rule changes un-needed2-8% changes done wrongLack of accountability
Challenge: 20-30% rule changes un-needed2-8% changes done wrongLack of accountability
AlgoSec Inc. 9
� The AlgoSec Firewall Analyzer is the established leading solution for:
• Firewall, router and VPN operations and change management
• Risk management, security compliance, audit
• Policy optimization and configuration cleanup
� It is a comprehensive, scalable, non-intrusive, easy-to-deploy and use, and supports all versions of the major firewall platforms in the enterprise market:
� The AlgoSec solution provides unmatched visibility, analysis andintelligence into an organization's firewall policies.
AlgoSec Solution Brief
Sun Solaris � Linux � Win-NT � Nokia �SecurePlatform � Alteon � NSF � Provider-1 �
SmartCenter � Crossbeam � OPSEC integration �
PIX � FWSM �ASA � IOS Router ACLs �
ScreenOS �NSM �
Virtual Router �Virtual System �
AlgoSec Inc. 10
AFA – How does it work?
� Real-time Monitoring – track changes
� Data Collection• Rule Base, Log and Routing Table
� Analysis• Non intrusive, offline analysis
• Single Firewall, group of firewalls or hierarchically connected firewalls (matrix)
• Analyze the traffic, not just the rules text
• Patented 5-dimentional algorithms calculate how the firewall will respond to every potential packet it may encounter
� Knowledge Base• Compare the policy to built-in industry
best practices
AlgoSec Inc. 11
� Improve manageability and security: track policy changes - in realtime• Track the 5 W‘s:
What (rules, routing, VPNs,…), Who, When, Where, What is the impact
• Realtime change alerting
� Save time with routing-aware firewall troubleshooting• Pinpoint the exact firewalls and rules that block operational traffic
� Ease firewall management using policy visualization• View firewall policy and connectivity in a format not available on native
management consoles - saves time, makes administrative tasks much easier
� Enable firewall/server consolidation/migration • Consolidation assistance: identify required rule changes• Firewall migration assistance: policies comparison
AFA Solution:Network Operations Efficiency
AlgoSec Inc. 12
� Improve performance through Intelligent rule reordering• Based on log analysis
� Improve performance by cleanup:• Rules: unused, duplicate, covered, disabled, timed out
• Objects: Unused, unattached, duplicate, empty
• VPN: Unused, unattached, expired ,users and groups• Support log analysis for over a year
• Analyze historical logs
AFA Solution: Extend Firewall Lifespan and Performance
AlgoSec Inc. 13
� Automated Industry Best Practice (IBP) risk analysis• Out-of-the-box usability based on AlgoSec IBP Knowledgebase• Shows risks ranked by severity and lists all risky rules
• Provides details on risks found, offers remediation guidance
� Friendly customizations to conform with internal policies• Easy to use risk customization, trusted traffic, user-defined zone types
• Ensures each firewall conforms to organization-specific security policy
� Automatically completed compliance reports• SOX, PCI-DSS, J-SOX, ISO 27001
� VPN risk analysis• Identify risks associated to VPN rules and objects
AFA Solution: Intelligent Automation of Risk & Compliance
AlgoSec Inc. 14
� Two hardware appliance models:• AlgoSec 1020 – entry level
• CPU: Dual Core• Memory: 4GB (1GB DDR2/667 x 4)
• AlgoSec 1080 – high-performance, enterprise level• CPU: 8-Core• Memory: 16GB (2GB FB-DIMM x 8)
� Pre-built VMware “soft-appliance”
� Software only
AlgoSec Delivery Options
AlgoSec Inc. 15
Product DemoFeature Overview
Security. Visibility. Governance.
AlgoSec Inc. 16
FireFlow
Network Security Policy Change Workflow Automation
Confidential
AlgoSec Inc. 17
Firewall policy change process overview
� Business units make firewall change requests• Often many requests per week
• The process of meeting the requests is complex
• Involves multiple people in different organizations• Involves several approvals and checks
• Subject to audit and regulation
• Change planning, risk assessment rely on personal expertise
• Industry statistics: 20-30% of implemented rule chang es are not needed !
� Existing systems are focused on process administration
AlgoSec Inc. 18
Current Challenges
� Delays and mistakes create inefficiency and time waste� Actual change may differ from original request� Actual change may differ from what was approved � Variable levels of expertise may introduce mistakes � SLA is hard to maintain� Poor visibility increases cost:
• Where are we in the process?• Who requested / approved / implemented the change?• Why was a change made?• What are the impacts of a change?
Confidential
AlgoSec Inc. 19
FireFlow within Your Organization
End-user (Business Unit)
Information Security
Network Operations
Firewall
Create Change Request( Existing system, web form, email)
Create Change Request( Existing system, web form, email)
AlgoSec Inc. 20
Translate vague request into technical requirement. Check if rule-change needed
Cost saving: avoid unneeded changes
Translate vague request into technical requirement. Check if rule-change needed
Cost saving: avoid unneeded changes
FireFlow within Your Organization
End-user (Business Unit)
Information Security
Network Administration
Firewall
AlgoSec Inc. 21
Assess risk of suggested change,Approve change
Assess risk of suggested change,Approve change
FireFlow within Your Organization
End-user (Business Unit)
Information Security
Network Operations
Firewall
AlgoSec Inc. 22
Auto-create work ordercreate checklist of rules and
firewalls to be modified
Auto-create work ordercreate checklist of rules and
firewalls to be modified
FireFlow within Your Organization
End-user (Business Unit)
Information Security
Network Operations
Firewall
AlgoSec Inc. 23
`̀
Auto-detect policy changes,match to requests
Auto-detect policy changes,match to requests
FireFlow within Your Organization
End-user (Business Unit)
Information Security
Network Operations
Firewall
Apply modified policy
Policy was modified !
A matching request
was found.
AlgoSec Inc. 24
Notify stakeholders of successful completion of change
Notify stakeholders of successful completion of change
FireFlow within Your Organization
End-user (Business Unit)
Information Security
Network Operations
Firewall
AlgoSec Inc. 25
FireFlow within Your Organization
Information Security
Create Flexible Reports,Visibility, and Measurable Results
Create Flexible Reports,Visibility, and Measurable Results
Audit and complianceCIO,
Management
Network Operations
Efficiency metrics,SLA reports
Unauthorized Changes
Delayed requests, Internal billing
Audit Trail,Documentation
Archive
AlgoSec Inc. 26
Request and Auto planning stages in FireFlow
� Request • Translate vague incoming requests into technical requirements
� Convert DNS names to IP addresses� Convert port ↔ firewall service name
� Auto Plan� Identify if a policy change is needed at all� Auto identify which
devices participatesin change process
AlgoSec Inc. 27
Risk Check and Approval
� Check and Approve• Identify introduction of new risks, alert if non regulation compliant • Approve for implementation, or send to re-plan
� Issue Work Order� Auto-build rule change recommendation
AlgoSec Inc. 28
Reconciliation: Auto-m atch change and request
� Validate• Ensure that implemented policy meets the request
� Reconcile• Ensure that all requests get implemented• Ensure that no unauthorized changes are made
� Audit• View full request history• Link modified rules to request history
AlgoSec Inc. 29
Network Security Change Lifecycle. FireFlow™
Any questions before live demo?