Archive for the ‘Uncategorized’ Category

In a recent article on NETASQ, Richard Stiennon provides a “brief history of firewalls and the rise of UTM”.   I have a couple problems with his conclusions.  However, Richard does a good job describing how the firewall market has evolved over the years and gives his analysis of where it is heading.  He has had a ringside seat to this history and provides a good 15+ year history in 3 paragraphs bringing us up to today with the recent appearance of Next Generation Firewalls.

My first minor disagreement with Richard’s view and definition of a UTM.  I do agree the “bad reputation” UTM received in the early days was well received.  In my view the UTM market was created by a class of firewalls attempting to disrupt the established firewall vendors by throwing more features in the same box.  These solutions lacked effective management and did not scale to enterprise needs.  Because of this, UTM has become synonymous with “SMB firewall” in my view.  For this reason, I don’t consider a Check Point firewall with an IPS “blade” a UTM any more than I considered the Check Point firewall with VPN functionality in 1998 a UTM.  And I certainly don’t consider a Palo Alto Networks firewall a UTM.  The advancement of the NG firewalls was a new way to manage access (users and applications) not another commodity security product consolidated (crammed) onto the same box.

But that critique is pretty petty as it is just a name.  Richard’s basic history that the firewalls of today do more than the firewalls of yesterday is true.  And it is part of the reason that the demand for FireMon and firewall management solutions in general continues to increase.  New security functionality does not necessarily translate into better security.  It must be effectively managed.

Here is my major critique: the history of consolidating security functionality into the firewall is not necessarily the path of firewall innovation in the years ahead.  The market drivers of data center consolidation, virtualization and cloud computing are changing the role of the firewall.  But, unlike Richard, I don’t think this necessarily means stuffing more into the firewall.  In fact, it may mean just the opposite: purpose-built firewalls for purpose-demanding situations.

Take for example, the web-hosting DMZ infrastructure.  We wrote about this not long ago here.  A general-purpose firewall only controlling http access between users and web servers is not doing much but slowing down access and barely tapping the capability of the firewall.  However, a firewall with specific knowledge of web access embedded in a load balancer could be very interesting in this scenario (see F5′s recent announcement).

And virtualization is another fast-moving market that will stretch the bounds of firewalls.  While embedding switches in firewalls has been around for a while in UTM devices and will remain a key feature of these SMB devices, it is much more likely for security to get integrated into switches in the enterprise.  Last week, Nicira made public their recent work to manage virtual switches (great read: http://nicira.com/en/platform-for-innovation).  One advantage of creating a software abstraction layer above the physical wires is that it allow “rules” to move with the virtualized network port.  And they are certainly not alone.  Juniper has similar visions and commented on Nicira’s work here.  And Cisco has similar visions with their Nexus 1000v.

But this dynamic network of controlling access per port (and a port that moves around in the network as VM’s move) is not asking for some new type of security similar to a cramming a new feature into a UTM.  The vision of the dynamic network is demanding dynamic management of security technology we already understand: control access based on application, user, port, protocol and networks.  It is also demanding high-performance, not frequently associated with bloated UTM features.

In all cases, complexity is increasing.  Whether it is the increase in features being added to firewalls or the demand to control access at a more granular level, the complexity of the technology is increasing.  And this increase in complexity will demand new management solutions.  As great as the new technology is, unless it is properly managed, it won’t provided the intended security.

FireMon announced today, what we here in the company have known for a while now, 2011 was a spectacular year for us at FireMon and we are so proud that we want you to know.  Some of the highlights of 2011 for us:

• 50% year-over-year sales growth in firewall management solutions to enterprises while continuing to achieve profitable business operations for the year.
• Dramatic new customer growth with over 80 new Fortune 1000, government, healthcare, financial services and service provider customers including enterprises like Accor, American Automobile Association, and EarthLink and MSSPs like GBprotect.
• Acquired Saperix Technologies and patented risk analysis software developed at MIT Lincoln Laboratory that quantifies risk by identifying both critical threats and the most effective countermeasures.
• Expanded international operations in EMEA and Asia-Pacific with new executives and technical resources in the United Kingdom, France, Germany and Australia.
• Increased focus on business and technology partnerships with the addition of proven security industry channel management and business development executives.

The best part of all of this great news though is that we think this really positions us to make 2012 an even better year.  We are poised to really take off as a result of additions to both our team and product line up.

As the people who virtually invented the firewall management space, we are very excited to see firewalls, through the introduction of “next gen firewalls”, become hot again. Security device management and scenario based risk management are two of the most important issues facing organizations. We are uniquely situated to offer solutions and answers to these issues.

In the meantime congratulations to everyone on the FireMon team for a job well done.  But most of all a huge thank you to our customers and partners, for without you all none of this would be possible. Thanks to all of you and here is to a great 2012!

Adam Ely wrote a nice article on Dark Reading (“Tech Insight: What to Do When Your Business Partner Is Breached”) about how to respond when you become aware of a breach of a business partner.  He discusses a very broad array of activities and responses you should consider immediately, on-going and post a breach.

One thing that jumped out at me was the brief mention of understanding your organization’s exposure.   Adam wrote,

“As you’re starting to piece together what occurred, it’s time to understand your organization’s exposure. You’ll need to fully understand what service the partner provides to your organization, the data it possesses, and how you are connected to each other. A breach of a third-party email provider has a different impact than breach of a two-factor authentication vendor. Understanding the total exposure will help you define the risk associated with the breach, the actions you must take, and how fast you must move.”

“Understand your organization’s exposure” is no small task.  In some cases, its too late to mitigate, in others, it could be a massive exposure waiting to be exploited.  For example, if the business partner provides a billing service for you, all the records they posses about your customers may already be exposed.  In another case of an application development provider, they may have connected access to critical assets in your organization that are now exposed to a new threat. In all cases, it is important to understand how you are connected to each other to monitor and mitigate any further proliferation of the breach.

Understanding the risk from a business partner whose “threat” value must now be seen as heightened post-breach, can be a very big project.  Sadly, in many enterprises, even the layer 3 network diagram is not up to date to provide an accurate picture of partner connections, let alone a complete picture of access.  And, as Adam points out, time is not on our side in this instance.  Quick and effective response to this new threat is critical to limiting the propagation and impact from a partner breach.  Understanding “exposure” from this threat is the key to this response.

Risk Analyzer is designed for just this purpose.  With a threat in mind, understand the exposure of your network from this threat.  Remediation activities like prioritizing vulnerability fixes, mitigation activities like blocking access to some connectivity until resolution is achieved and limiting impacts by actively monitoring (perhaps network recording) all access from the breached partner are all good responses if you understand your exposure.  Getting a clear picture of what is exposed is still the first step.

Adam continues to discuss much more than just the technical next steps, including contract negotiation and breach disclosure steps.  But heeding his advice to understand your exposure and act fast to limit the impacts are key in handling this situation.

Vulnerability…”I do not think it means what you think it means.”

Continuing our series of posts on Risk, I wanted to next shine a light on one of the most misunderstood or better yet, misused terms in security, vulnerability.  What does vulnerability mean to you? How is it connected to Risk?

While vulnerability is certainly part of any risk analysis the term has been co-opted out of all proportion to most of the security and risk management space. This is partly due to the great job that the vulnerability management and patch management vendors have done in bringing vulnerabilities to the forefront of our risk management activities. But as we said in our earlier post, there is more to Risk than vulnerability.

Rather than reinvent the wheel I wanted to go back to what many consider a seminal piece on the subject. Jack Jones’s, An Introduction to Factor Analysis of Information Risk (FAIR). Jones perhaps said it best when he wrote,

A final point is that there’s a tendency to equate vulnerability with risk.  We see a frayed rope (or a server that isn’t properly configured) and automatically conclude that the risk is high.  Is there a correlation between vulnerability and risk? Yes.  Is the correlation linear?  No, because vulnerability is only one component of risk.  Threat event frequency and loss magnitude also are key parts of the risk equation.

So, in spite of this, why have so many gone off the deep end on vulnerabilities? I imagine it is due to highly publicized and severe vulnerabilities that keep being disclosed on a frequent and regular basis along with the fact that it is the best “measured” factor in security today (see CVSS).  Using a baseball analogy from Moneyball, measuring vulnerabilities to infer risk out of context from threats, other security countermeasures, and other risk factors is similar to tracking the stat “at bats” as a key metric to measure wins.  Related, yes.  Direct correlation, no. Just because there is a vulnerability doesn’t mean it will be exploited, that it can be reached and it is worth exploiting. So in measuring risk, it is critical to measure more than just vulnerabilities.

I am not suggesting we stop assessing and measuring vulnerabilities.  However, with risk based products like our Risk Analyzer, I hope we start including some of the other factors that need to be included in our analysis so that we can start measuring risk more completely.

Vulnerability is not Risk.  Inconceivable!

The end of the year is always a crazy time at FireMon and likely most companies.  We are busy wrapping up end of year business while making plans for next year.  Even with all the activity, I can’t help looking back at the year that was.  And what a year it was!

It seems like many years have passed since February when we changed our name from Secure Passage to FireMon.  Since then we acquired a powerful Risk Analysis technology, doubled the number of employees, opened offices in London, France, Germany and soon Australia and released Risk Analyzer.  And once again we have set a new company record for anual sales.  It has been a great year!

Thank you to all our customers and to all the great people at FireMon that make it happen.  It is great to work with such talented and quality people.  I look forward to seeing everyone next year!

Happy New Year!  2012 is going to be fantastic!

Johnnie Konstantas over on Security Week has the first of what looks like a series of articles posted on what she calls Firewall Wars 2.0.  Johnnie recounts that back in the day, the big fight was between stateful inspection firewalls and proxy-based firewalls.  I remember those days well and agree there is a parallel to those days.  However, I don’t think time only one has to win.

Konstantas now suggests we are in a new era of firewall wars and I tend to agree.  The “Next Generation” firewalls promoted by Palo Alto Networks and followed by many of the traditional firewall vendors has begun to shake up the market.  I don’t agree with Konstantas assessment of what constitutes a “Next Gen” firewall however.  She seems to lump them into the UTM category, which I think understates both the UTM and the NG firewall capabilities.  The genius of the Next Gen firewall (in my opinion, of course) is that it took much of the capability of an IDP to recognize and categorize layer 7 traffic and managed it in a “positive security model”.  Unlike IDP’s that block traffic identified as bad, the NG firewall identifies and only allows traffic deemed acceptable.  Slight shift in technology application, gigantic shift in behavior.  And while it is a great advancement for certain situations, I don’t think it immediately makes stateful inspection firewalls obsolete.

What I liked best about Konstantas review of the topic was the recognition that not all products are created equal AND not all situations require the same solution.  Security needs and performance requirements should be key factors in making a decision.  Not all situations call for NG firewall capabilities or UTM functionality.  In fact, I would suggest, not all locations call for a dedicated firewall, in some locations a firewall feature set on a router may be a good fit.

As for the “war”, as budget cycles come around for firewall upgrades and migrations, consumers will have a lot more choice than they did just 3 years ago.  I suggest it not be considered a Betamax vs VHS battle…there is room for NG firewalls, stateful inspection firewalls and even proxies all deployed in the appropriate location in the battle of network security.

Regardless of which firewall technology an enterprise choses to deploy (or if they deploy them all), they must be effectively managed.  The best firewall technology won’t fix a poor configuration.  A good management technology like FireMon Security Manager is the answer to make sure your firewall technology is effective.

I was able to attend this years JavaOne conference, and had the privilege of hearing the keynote from David Ward of Juniper Networks. If you missed his presentation, you can see it here. One of the key points in his presentation was that the network and applications need to work together. As Lauren Cooney points out in her blog, “The divide between IT and Developer is getting smaller and smaller – you can now access the network through a series of APIs and an orchestration layer that make it easier to build and scale applications specific to your network. The two need to work together to be successful.”

At Firemon, we believe the opening of the network API’s  is highly beneficial to those of us developing security applications for the enterprise network. We have ported our new Risk Analyzer product to run on Space, and leverage the Space SDK to provide the application real-time awareness of all the network devices and how data traverses the entire network topology. This enables Risk Analyzer to have the most complete, up to date and real-time picture of an enterprise’s network topology, enabling Risk Analyzer to create the most accurate graphical representation of your entire network. Risk Analyzer then combines the network information from Space with the results of enterprise vulnerability scanning and clearly highlights all of the paths attackers can take to penetrate your network, including client-side vulnerabilities, in a matter of seconds.

Space enables Risk Analyzer to factor in the full context of the network topology and network security controls to provide the most accurate risk analysis and remediation. Space enables Firemon to focus our development efforts on further enhancing Risk Analyzer’s patented analysis engines, knowing the Space SDK will always provide the necessary network information. Firemon is excited to be one of the first companies to partner with Juniper and leverage the Space SDK. We look forward to continued enhancement of the joint technology and many exciting developments to come in the next few months.

Ward Holloway, our new vice president of business development, was the guest speaker last week on the Security.Exe podcast, hosted by security blogger/podcaster Alan (ashimmy) Shimel. Ward is a veteran of the security industry having worked many years at Crossbeam Systems where he served as Director Global Partner Alliances. Prior to Crossbeam, Ward was with Check Point for eight years in key contributor roles including Named Accounts Senior Systems Engineer and International Technical Consultant.

Having just joined us at FireMon, Ward discussed why he came on board, what gets him excited about FireMon and what you can expect from FireMon in the short- and long-term.

Enjoy!

In response to a recent post questioning why someone would want to run a firewall-less network, Lori MacVittie tweeted that performance might be one reason with a link back to a a recent article she wrote:  http://devcentral.f5.com/weblogs/macvittie/archive/2011/02/16/challenging-the-firewall-data-center-dogma.aspx

The Firewall in Front of the Data Center

In her article, MacVittie is not advocating doing away with firewalls, but she is questioning the dogma of a firewall in the data center, specifically firewalls protecting Web Services.  The basic premise is that firewalls can be a bottleneck, or worse a point of failure, due to performance issues or denial of service attacks.  I completely agree that this design should be questioned in this case.  That may seem odd coming from a firewall management vendor like FireMon, but firewalls are not the end-all of security and we don’t advocate ineffective use of the technology.

Public facing services, which are most susceptible to denial of service attacks, have a unique access requirement of allowing everyone.  When you have a service that is needed by everyone, access control is not really controlling much and does raise the question of why implement a firewall at all. However, this does not mean there is not a role for the firewall in this architecture.  In fact, it is now critical to ensure access is

The Firewall Inside the Data Center

controlled from this public system to any other system on the network.  In the traditional sense of a DMZ, no access should be allowed from this public system to any other protected system to protect the network in the event of a breach.  Addressing this access control requirement results in implementing a firewall technology limiting communication between systems behind the web server.

I agree with MacVittie that just because it is how something has historically been done is not justification for continuing to do it that way.  But I also don’t see this as a reason to run a network without a firewall; just a discussion about where to implement them.  In all cases, regardless of where the firewall is implemented, the key to ensuring it is an effective security control is to effectively manage it.

I love March Madness; from the great basketball games to the bracket mania it inspires.  The competition is thrilling and the passion of the players is inspiring.  Each year, I fill out a bracket or two, but rarely succeed in picking the winner, let alone winning the office pool.  This year is no different, with my entire bracket completely decimated.  But, I am not alone this year.  According to ESPN, only 2 people out of nearly 5.9 million predicted the teams in the final four and over 70% didn’t pick even one of the teams (me included).

But, undeterred from my obvious lack of picking bracket winners, FireMon has published its own bracket challenge.  In the spirit of March Madness, we would like to hear from you which features you would like to advance each round in our FireMon Feature Challenge.  It is as simple as “liking” our page and then picking a winner in each of the three rounds.  One lucky participant will receive a $50 gift card.

Over the past 10 years at FireMon, we have created a number of industry firsts with very innovative solutions designed to help our customers better manage their security infrastructure.  From our very first feature of Graphical Change Comparison to more recent innovations such as Traffic Flow Analysis and Rule Recommendation, FireMon has delivered products to solve the very real and challenging issues of managing security.  We look forward to hearing which features you think deserve to win the FireMon Feature Challenge.

Have Fun!