Large enterprise networks change by the minute … users are added, access paths are opened and closed, rules are changed. Ensuring that each and every change complies with internal and regulatory security policies is a tedious, time-consuming process.

A typical firewall change management workflow includes multiple steps or phases, where different actions are performed. The process is slightly different for each organization, and your security team might combine a couple together or break them into more phases, but essentially these steps are the foundation of change management.

Here’s a look at how the firewall change management phases are typically handled in organizations we’ve talked to, and how integration with Skybox Security’s analytics engine can improve the process by reducing effort and risk.

Change Request

In this stage the desired network access is described. Sometimes this is done with technical terms; for example, “IP address to IP address over a service port”. Other times the request is described in layman’s terms; for example, “allow the Marketing team to access Facebook”. To manage the Request Phase, most organizations use a ticketing system like Remedy or Service Manager, although sometimes it’s as simple as an email request.

Technical Details
This is when the original request is translated into the explicit changes that need to occur on specific firewalls; for example, creating or modifying rules and objects. This translation requires that the operator understand the network access path between the hosts. In a large organization, manually analyzing a single access path can take hours due to network complexity.

Once the network access path is understood and the firewalls identified, the operator should identify which firewalls currently allow this access, and which firewalls would need to be changed to allow the requested access. As a manual process, this can be difficult to accomplish and is often skipped resulting in firewalls with overlapping rule sets.

Change management software, such as Skybox Firewall Assurance and Skybox Change Manager, automate this process, significantly reducing the amount of time it takes to determine the path and determine which firewalls need to be changed. This information can be returned to the ticket in seconds allowing the request to move to the next stage faster.

Risk Assessment
After the request is translated to specific firewall changes, security best practices recommend that proposed changed are reviewed prior to implementation to understand the risk they would impose on the environment. In many organizations, this is a manual change control process where an IT risk manager “eyeballs” the proposed changes and makes a judgment, possibly after consulting a document or spreadsheet. Not only is this process time-consuming, it is impossible to know if a firewall change would expose a vulnerability that could be exploited by an attacker or malware.

Skybox can greatly increase the accuracy of security risk assessment by automatically comparing the proposed changes against policy using a predictive analytics technique called “what-if” modeling. Among other benefits, this is useful for compliance management, allowing a company to meet best-practice guidelines and regulations requiring continuous compliance monitoring. Additionally, IT risk can be calculated by identifying host-based vulnerabilities that will be exposed to a new portion of the network.

Reconciliation
After changes are implemented, it is often desirable to have third party verification that the change to the firewall exactly matches the request. Without such change verification, misconfigurations that exceed ticket specifications can exist indefinitely, exposing the network to unnecessary risk. Skybox can compare the source, destination, and port of a request to the actual change observed on the firewall and validate that the two match. This helps organizations find implementation mistakes and ensures all firewall administrators are following the change management process.

The Skybox Security Risk Analytics Platform integrates with third-party ticketing systems to ensure continuous monitoring and compliance with firewall policies.

At Skybox, we have seen customers reduce firewall management time by 80 percent or more by implementing this objective, consistent change management process.

For more information about firewall change management, download the Firewall Change Management white paper.