If you’re reading this blog, you’re likely interested in learning more about FireMon Policy Analyzer or have just run your first assessment and are curious how to get the most out of your results. Either way, we’re excited you’re here! As a reminder for those who aren’t familiar with Policy Analyzer, it’s a complimentary firewall security policy assessment solution that tests your firewall configuration and rulebase against FireMon’s best practices to reduce policy-related risk. Within minutes, Policy Analyzer shares a diagnostic report outlining the security posture of a single firewall in your environment, complete with key areas of interest and remediation recommendations. We encourage you to try it for yourself! So now you’ve run your first report but are curious where to begin. The dashboard provides a visual representation of the overall policy health within that particular firewall. The top of the report gives you a high-level view of the health of your firewall. It starts with the total number of identified warnings and a Security Concern Index (SCI) score, a device complexity score, and then displays six key results:
- Overly permissive warnings
- Risky access warnings
- Clean up warnings
- Policy quality warnings
- Vendor hardening warnings
- Remote access warnings
Each of the six key results will be discussed in more detail in tiles throughout the dashboard, and you can download reports with remediation recommendations based on this information (right side of the screen). See below for a description of these ‘key results’ in detail. When analyzing the report, we believe the simpler the better. Green represents a low severity warnings, yellow moderate severity, and red high severity. These colors are represented all throughout your report, so you quickly know where to focus your attention. Our current customers use Security Concern Index (SCI) to track improvement over time. If you want to see how this works, upload your firewall config again after you have made some of the recommended changes, and see how your score improves. SCI is the sum of all unique controls’ severity values that resulted in a failed status over all unique controls’ severity values that passed or failed multiplied by 10 rounded to two decimal places. Policy Complexity is also a helpful indicator of potential risk. Every new component — such as a group member, host, network, or service — adds to the device complexity. The higher the device complexity, the greater the risk of a configuration error. You can also download a report that details top results that failed each test, and recommends how to fix them. These reports are similar to reports provided in our enterprise product, Security Manager, and are configured to show summary, failures by severity, and up to 3 results per policy. (Results can get very lengthy on some firewalls!)
Top Overly Permissive Warnings:
- Best practices limit use of “Any with Accept.” Overly permissive rules include several specific tests for rules with combinations of “Any” and “Accept”, as well as other tests for TCP with high ports or too broad of a network address.
Top Rules With Risky Access:
- Best practices limit the use of clear text and other high-risk protocols.
Top Policy Clean Up Categories:
- Redundant, shadowed, and disabled rules, or overly complex rules, add risk to your security posture. In some cases, you may have a good reason for disabled rules, however they should not be left in place without purpose. The numbers in this tile represent the sum of rules that fail the test in each category.
Top Policy Quality Issues:
- Best practices require that rules have logging enabled, identify owners and document justification, and that a stealth rule is present to prevent communication to the firewall from unauthorized hosts. The numbers in this tile indicate the sum of the rules that fail the test in each category.
Vendor Hardening Issues:
- Many best practices are specific to the firewall vendor’s configuration, for example “failed attempts before lock out”, and others.
Rules With Remote Access:
- Network protocols that allow remote access should be limited to specific servers and in some cases eliminated altogether, depending on your company policy.
Now that you’ve tried Policy Analyzer and investigated a few reports, you’re likely curious how you can more completely understand your environment as a whole, not just one firewall. Upgrading to the full FireMon Security Manager solution will also provide a full overview of firewall usage data in addition to configuration data, industry standard compliance assessments and reporting (PCI, NERC-CIP, GDPR and others), traffic flow analysis (TFA) to plan remediation, and automating change use cases. We encourage you to use the “Talk to FireMon” button within the dashboard which will allow you to enter a comment on why you’re reaching out, and will connect you with someone at FireMon. You can also reach out to us here with any questions.