Security Manager Features

Access Path Analysis

FireMon invented the ability to test a firewall and determine how it was going to behave. With the new Access Path Analysis feature, its analysis of device behavior well exceeds anything provided by the traditional firewall management vendors.

The Access Path Analysis feature can be accessed in two ways. One is from a risk path. That is only available to those customers who have licensed risk. APA can also be used as an interactive feature and that is available to all users of Security Manager.



Just like in the risk feature, Access Path Analysis analyzes the device through source interface, source route, security policy, NAT policy, destination route, and destination interface. The results include whether the packet reached the destination and how the firewall behaved at each step.

APA Input

Manual access path analysis can be defined by manually entering values or from a location on the network map.

APA Results

The result of any path analysis is a detailed breakdown of how the traffic passed through each device.

Attack Path Identification

Risk = Vulnerability PLUS ACCESS

Security Manager's patented Risk Analysis Engine can show you not only WHICH vulnerabilities are attackable on your system but HOW an attacker could reach it to exploit. Using Advanced Path Analysis logic, Security Manager breaks the attack into its component hops, and shows you the detailed rules, NATs, routes, and interfaces that permit the access. Make an informed choice about whether to patch the host or block access altogether.

Audit Log

A Snapshot of Your Recent Changes

More than 10 years ago, FireMon introduced the concept of firewall management via change tracking. A lot has changed since then, but the ability to quickly see what changed and when remains critical. Security Manager's Audit Log compares current and previous configurations to summarize the activity on your selected Device or Group. Use this convenient view to review recent changes, narrow your options when debugging outages, to find unauthorized or out-of-window changes, track change frequency across one or more devices, or summarize the workload of your engineers.

Real-time retrievals let you analyze your CURRENT security posture

Retrievals are initiated in real-time (through detection of syslog change notifications), on a periodic basis (using device-specific schedules), and/or manually (selected by Security Manager users). Security Manager always has the most up-to-date configurations, so all analyses – from Risk posture to Rule Recommendations to Access Path Analysis – are based on the current state of your network.

Change Notifications

When Security Manager detects configuration changes, it determines which device has changed, who made the change, and exactly what's changed. It then notifies users with a detailed email containing the smartphone-friendly text, as well as an optional attached HTML or PDF report.

Change Reporting

Automatic Change Detection

FireMon Security Manager monitors devices for configuration change in real time. Once detected, changes are automatically retrieved and analyzed. Security Manager's robust monitoring framework always displays the status of change detection and retrieval, and provides failsafe monitoring in the event change detection is unavailable.

Graphical Change Reports

Security Manager's innovative "overlay" change reports show the detailed changes to security rules, network and service objects and any other configuration changes. At a glance, users can determine when a rule or object is inserted, deleted or modified. When a rule or object is modified, the overlay also represents what has changed without having to manually compare two side-by-side displays.

Customized Analysis

View Data via Email, Reports, or Web-based Dashboard

FireMon provides a number of ways to query the configurations and usage stored by Security Manager.

You can build Audit Reports from one or more Audit Check templates. Once you have assembled the report, you can run it on demand (outputting as HTML or PDF), or schedule the report to run either on change or on a scheduled basis, with results sent to specified users. These Audit Checks are also used by Policy Planner for Pre-Change Compliance checking.

Beginning in 6.1, you can also use the Insight Portal to write custom queries. The domain-specific language developed by FireMon understands network concepts, object types, date ranges, and rule usage. Build ad-hoc queries, and output the results as HTML, PDF, or CSV.

Or save the queries as a “Favorite Search” or add as a Custom Query widget, and run them from your user-specific dashboard at any time.

Deep Network Risk Visibility

When risk exists in the network (i.e. a path from a threat to a vulnerability) there used to be only one alternative — patch. With FireMon 6.1, you have options. With FireMon's new Access Path Analysis, you can get a detailed picture of how the network behavior that permits the access path with all the detail you need to make a change and eliminate that risk.

With Security Manager 6.0, you could find the risk paths through the network. FireMon Security Manager 6.1 introduces access path analysis allowing for deep inspection of the path.

Access Path Analysis

Access Path Analysis identifies the risk path through the network including the interfaces, routes, security rules and address translation rules that allow the access path that introduces risk. It gives network security operators the information necessary to reduce risk without impacting network operations.

Expired Rules Tracking

Don't Let Expired Rules Extend Unnecessary Access

How many times have you enabled a rule for a guest, meeting, or some other limited-time access? Do you have a process in place to find and remove those rules when no longer required? With Security Manager, simply set the expiration date for the rule and use our Expired Rules report to find and disable the rule. Access still required? Just reset the expiration date.

Firewall Complexity Scoring

A Better Measure

Consider this simple rule: If the "Marketing_networks" object contains 1 source and "HTTP_80_443_8080" service object contains 3 services, then the rule above represents 3 matching patterns, or logical rules. If, however, the "Marketing_networks" object contains 5 networks, then this rule suddenly represents 15 logical rules.

With nested objects and additional fields (Destination, User, Application, etc), the logical complexity of your device can grow very quickly. Devices with hundreds of physical rules can easily contain tens of thousands of logical rules. Security Manager expands all objects, computes the number of logical rules, and assigns the device a complexity score. Security Manager displays the scores for your most complex devices, as well as the 10 worst-offending rules on each device.

Firewall Policy Optimization

Rule and Object Usage

If the security policies, rules, objects and configurations of your firewalls, routers, and switches are not managed at all times, they will become too complex, create security gaps, and degrade performance.

Architected to meet the requirements of any organization, FireMon Security Manager's granular rule and object analysis ensures that the right access over the right protocol is in place to support business functionality. Security Manager's Rule Usage Report automatically identifies how rules and objects are being used so you can easily determine what changes need to be made to reduce policy complexity.

Unused Rule Analysis

Policy cleanup activities typically center on removing access that is no longer necessary. One data point that administrators can use to gauge the necessity of a rule is to analyze who, when, and how frequently that access is in use.

The most glaring example of unnecessary access are those entire security rules that are no longer in use. Security Manager pinpoints these items by monitoring traffic logs from firewalls, allowing administrators to track security rules uniquely over long periods of time and determine if they are in use.

Unused Object Analysis

Firewall vendors handle network and service objects differently. Some provide a robust editor for placing many objects in a rule and others rely on group objects to represent a singe identity. Some vendors require that objects have a saved definition before being placed in a rule while others allow standard network and service definition directly in the rule. Regardless of the management approach, often times network and service objects become unnecessary inside of rules as well as unnecessary in the security policy.

Objects inside security rules that have become unused allow those rules to pass more traffic than is required. Security Manager's Rule Usage Analysis Report shows the hit count of security rules and the objects inside the rules. Additionally, it has a dedicated section for "Rules with Unused Objects," giving administrators the data necessary to reduce the scope of rules that are in use.

More globally, sometimes objects are not hit inside any rule or policy on the firewall. In that case, Security Manager's global Object Usage Report details the usage of network and service objects regardless of their position in a policy.

For even more granular analysis of the data flowing through a rule, see the Traffic Flow Analysis section.

Rule Reordering and Optimization

Firewall performance is an ongoing issue for most organizations. Knowing the utilization of your rules is one of the critical components of optimizing the firewall performance and it gives administrators the ability to reorder them such that highly utilized access is placed as high in the rule set as possible.

Using Security Manager's Rule Usage Analysis Report, the most utilized rules are shown at the top of the report, giving administrators the information needed to move rules.

Additionally, Security Manager's analysis engine is able to analyze rule order and alert users when highly utilitzed rules have dropped too low in the rule set.

HA Consistency

It's Not HA if the Configurations Don't Match

Are your firewall pairs out of sync? You must ensure that they are configured the same so that in the event of a fail-over, the Standby device can enforce the same working policy that was being used by the primary device. Schedule Security Manager's HA Consistency report to run periodically and compare the configurations of 2 or more devices. The formatted output displays differences in the rule configurations, routes, and interfaces – visually identifying lines missing in one or the other, as well as lines which are similar, but not identical.

Hidden Rule Identification

Duplicate Rules

Continuing to manage rules which will never be used contributes to bloated, out-of-date, and inefficient Policies. Finding duplicate rules should be simple, but large policies and complex objects make the task anything but. Security Manager's Hidden Rules report does the hard work for you, combing through the selected configurations, expanding even the most complex objects, and identifying rules which are completely masked by others higher in the policy. We show you the results side-by-side, and recommend which one could be removed with no change to user access.

The Corollary – Shadowed Rules

Shadowed rules have similar configurations but opposite Actions (one Accept, one Drop). As with Hidden rules, the second rule will never be matched and contributes to the overall inefficiency of the policy. If you are starting with a clean policy, this report can be used for troubleshooting access issues; if not, it's a good place to start your cleanup and optimization project.

Insight

Understand low level network security configurations in real-time.

The configurations of our network security devices are the critical definitions that keep the wrong people out and let the right people in. But with thousands of devices working in concert, all of which have very cryptic, proprietary configurations, it is difficult to make sense of it all. That's where FireMon Insight fits in. A real-time dashboard of all your security configurations.

Support Across Devices. Getting a picture of network security configurations is difficult. Configurations are locked up in proprietary, vendor-specific data formats stored in many different management silos. Insight consumes the configurations of all major firewall vendors and presents data across all of them in a single dashboard.

Intelligence from Configs. The complexity and speed of growth of security device configurations is overwhelming even for the most senior security engineer. Yet out-ofthe-box reports and once a year auditor findings don't meet the needs of the enterprise network. There is a critical need to transform configuration data into a usable form that can be quickly digested and acted upon.

Fast. Quickly get the results of your queries even across hundreds of thousands of rules and millions of objects. Turn those queries into meaningful, automatically generated security metrics in a matter of seconds.

Multi-tenant Permissions

Complex Environments Require Complex Controls

All Security Manager features were designed with multi-tenant permissions at their core. From the basic navigation, to maps, notifications, and reports in Security Manager, Policy Planners' Rule Planner and Compliance Checks, and even the Insight Dashboards and underlying queries – FireMon protects the network segregation required by today's Managed Services providers. Even complex enterprises will find benefits in the ability to restrict access to devices in a given Group to a specific set of users, administrators, or auditors.

PCI Analysis

Security Manager will enable you to assess your firewalls against the firewall-specific requirements of the Payment Card Industry (PCI) Data Security Standard (DSS). It provides a full report outlining the measurement of your firewall policy and the security rules contained in the policy with relation to DSS requirements for zone-based service definition.

Pre-change Compliance

Make Risk Mitigation and Compliance Part of your Plan

FireMon's change management tool, Policy Planner, can be configured to show compliance checks violations that would occur BEFORE the change is made. Pre-change compliance checks are selected by Device Group: if a device is part of more than one Group, Policy Planner will execute the superset of checks required by all of its groups. Administrators can quickly and easily manage the checks – for example, apply corporate policy checks to All Devices and PCI checks only to DMZ Devices – and still ensure that each device is checked against all appropriate policies.

Policy Planner will also show you the change in risk score associated with the planned change, to ensure that they will not introduce more than an acceptable amount of risk to your network (requires both Policy Planner and Risk Analysis Module licenses).

Risk Measurement

Re-analyze Risk to Compare Recommendations

Once an attack scenario has been generated and Security Manager displays the weighted list of recommended patches, you can apply those patches to the scenario. Security Manager's patented Risk Analysis Engine removes the “patched” vulnerabilities and re-runs the assessment in real time to validate and quantify how the change(s) would affect your risk posture. The results are displayed as a timeline on the Risk Control.

The Risk Control provides a visual representation of the risk in that scenario. As you generate simulated patch application timelines you can see the scores improve, and you can use the timeline points to go back to an earlier patch point and try different recommendations.

Risk Recommendations

Use targeted patching to work smarter, not harder.

Given an attack scenario, Security Manager's Risk Analysis Engine uses the attack vectors found for a particular attack source and analyzes them for available patches. These are weighted by the number of patches, as well as the count and asset values of the hosts that can be protected. The list of Recommendations you see is prioritized with those that provide the greatest overall risk reduction listed first.

Security Manager displays the details for each patch recommendation. Review the details of the hosts, ports, vulnerabilities, and specific CVEs addressed by each recommendation.

Risk Scoring

Going Beyond the Vulnerability Count

Security Manager uses a combination of 3 factors to calculate the Risk Score for a given attack:

• Value of compromised assets – upload Asset Values via CSV, and/or let Security Manager assign a default value
• Compromise type – based on the CVE data, Root-level compromises are given more weight, than say DOS vulnerabilities
• Attack depth – for attacks from a given source, vulnerabilities that are within one or two hops are given more weight than those farther away.

The final score is expressed as a weighted percentage of attackable hosts vs. all possible hosts. Higher scores indicate more risk for that source.

Security Manager also provides 2 helpful summary reports: the Attack Report displays a printable list of all patches that are part of each recommendation for a given scenario/patch point, and the Assets at Risk Report shows a printable list of all subnets and hosts, ranked by number of vulnerabilities accessible from a given attack scenario.

Rule and Object Usage

If the security policies, rules, objects and configurations of your firewalls, routers, and switches are not managed at all times, they will become too complex, create security gaps, and degrade performance.

Architected to meet the requirements of any organization, FireMon Security Manager's granular rule and object analysis ensures that the right access over the right protocol is in place to support business functionality. Security Manager's Rule Usage Report automatically identifies how rules and objects are being used so you can easily determine what changes need to be made to reduce policy complexity.

Rule Documentation

Stop Tracking Details in Email and Spreadsheets

In addition to the configuration itself, Security Manager also provides a central location to store documentation associated with each rule (like Owner, Create Date, and Expiration Date) and for each change (including Change Control Number, Change Date, Change Justification, and Requestor). Documentation is displayed in-line with rules in Security Manager, or fields can be queried to find rules owned by a particular business unit, rules created from a given change request, rules that have expired, and the like.

Security Topology

Up-to-the-Minute Picture of your Network

Using detailed knowledge of the device configurations, Security Manager builds and displays topological maps of even the most complex network configurations. The map is based on the most recent configurations retrieved from the device, unmanaged devices inferred from managed routes, and manually-added devices.

Each Device Group generates a separate map, and permissions can limit access to a single customer segment if desired.

Use the map view to navigate between security devices, to drill down into the device-specific view, or to trace traffic between two points.

Traffic Flow Analysis

Reducing the scope of security rules is a common task in most enterprise networks today. Whether two networks are being merged quickly and the firewall cannot interrupt business operations, or compliance dictates strict accounting of access, rules can often times be reduced in scope or divided into more manageable rules once the traffic that uses them is better understood.

Security Manager's innovative Traffic Flow Analysis Report allows administrators to focus in on the traffic flowing through a security rule. Using a patent-pending algorithm it combines common access requests and presents detailed, yet actionable traffic flows (source, destination, and service) that are in use. This allows for either refinement of the access in new rules or the removal of unnecessary objects.

One of the most common compliance goals for enterprises today is to understand when the Any object is appropriate in rules that permit traffic. Using Traffic Flow Analysis, users can either justify that the access is broad enough to use Any or reduce the rule definition to remove Any.