Firewall Policy Management Basics: Track & Record All Changes

Change is a fact of life. We can choose either to embrace or fight it. Regardless, change will happen. As John F. Kennedy stated, “Change is the law of life. And those who look only to the past or present are certain to miss the future.”

Why Track Changes?

In the security world, it’s paramount we review changes to our security posture regularly. Too often it is regulatory requirements driving company security initiatives and not a more encompassing strategy. Regardless, whether it’s PCI, SOX, SAS 70, NERC/CIP or HIPAA, the requirements for monitoring change are very similar. Changes should be well documented and follow an approved process. A solid strategy used to approve, track, and record change is important to reduce common mistakes, compliance violations, and prevent the introduction of unnecessary risk. There is no one “silver bullet” to completely prevent or catch errant changes but technology solutions do exist that can greatly help to mitigate undesirable change from occurring. Exceptions sometimes occur when business drivers override a normal change procedure. When that occurs, it’s equally important to document these exceptions and track them.

Lastly, let’s not overlook one of the primary reasons for tracking and documenting change. The occurrence of bad configuration changes is an all too common reason for resulting service impacts and system outages. Having an automated way to detect and identify these harmful changes can significantly assist with reducing the mean time to service restoral.

How can FireMon help?

FireMon provides an automated firewall policy management solution to address this challenge. For every change detected, the core solution captures the date/time, person who made the change, and what was modified.




Additional meta-data can also be captured to further augment each change instance. One of the key items a qualified security assessor (QSA) may look for is valid business justification for a change or the reason for allowed access. Why is the rule here to begin with? All this data can be displayed in a change report that can be produced on demand, scheduled, or generated automatically every time a change event is detected.

When populated, data fields are easily reportable and searchable using a simple query language (FMQL). In the example below, the query would return all rules with the business justification equated to ‘Access to Finance’

rule{properties().’Business Justification’ = ‘Access to Finance’}

Returning to the quote from John F. Kennedy, FireMon offers a solution to embrace the future. There are simple defined steps to help effectively manage and secure an environment. With limited visibility and a full understanding of why a change occurs it’s difficult, if not impossible, to be effective at managing change. An automated solution for monitoring change is a great first step to more accurately recognize when and why “change” is happening in your security environment.

As we’ve witnessed in recent events, there is no longer room for complacency around our security initiatives… the time for action is now!