FireMon, which makes software to manage, audit, and automate firewall policy configurations, has announced a forthcoming update to its Security Manager software called Intelligent Policy Automation (IPA) for Cloud.
IPA for Cloud can automate changes to security groups in AWS virtual private clouds. (In an AWS VPC, a security group serves as a virtual firewall where administrators set rules for inbound and outbound access.)
And because IPA for Cloud is part of FireMon’s Security Manager platform, those AWS changes can be coordinated among firewalls on premises.
Changing firewall rules is often a slow process that involves multiple, manual steps. These include reviewing the request, identifying the number of devices between the user and the application, figuring out the necessary changes, and then assigning a network or security engineer who will access each firewall and security group and update the rules by hand.
IPA for Cloud automates as much of the process as possible, or as the organization is comfortable with.
The software integrates with ticketing systems such as ServiceNow, so when a request comes in the software will first determine if access is already available.
If not, the software identifies the firewalls in the path and makes a change recommendation. IPA for Cloud can send this recommendation to a human for approval or modification, though customers who are comfortable with the software can skip this step.
Then the software automatically communicates with the firewalls and security groups and makes the necessary changes. In the case of AWS, the software uses API calls to the VPC to update security group rules.
“Firewall changes take an average of two weeks,” said Matt Dean, VP of Product Management at FireMon in an interview. “Organizations are trying to get that go down to under one hour.”
Check Your Work
Any configuration change is fraught with peril because a mistake can have unintended consequences. That’s especially true for security controls, where errors can result in breaches, data loss, compliance violations, and other unpleasant outcomes.
That’s why administrators and engineers are often reluctant to automate configuration and rule changes. What if the machine gets it wrong?
It’s a reasonable fear, though in truth people are at least as likely to screw up as software.
To help overcome automation objections, FireMon says IPA for Cloud lets customers customize the workflow to ensure that all requirements are included in the process. The company also says it can simulate the change before it happens to assess the potential impact, and check to ensure that changes won’t violate compliance policies.
Given the complexity of firewall rule sets, if I were a potential customer I’d be curious to see just how comprehensive this simulation is and how it’s assembled and tested.
That said, it sounds like a useful feature to assure administrators and engineers that they won’t get bitten by automation.
FireMon also offers a rollback function if a change needs to be repealed.
IPA for Cloud only works with AWS at present, but FireMon plans to support other public clouds.