Chris Hoff (@beaker) had a blog post up recently on his Rational Survivability blog, once again making the call for automating security (and compliance and audit as well) in both physical and virtual environments. This is a cause that Hoff has long championed and is certainly a worthy goal.
Chris believes that leveraging APIs is one of the ways we can help accomplish more automation. He pointed to an example of leveraging APIs in VMware that was written by Richard Park of Sourcefire and deals with automating via Perl and APIs, firewall functions in a VMware virtual environment to accomplish things such as:
- List the current firewall ruleset
- Add new rules
- Get a list of past firewall revisions
- Revert back to a previous ruleset revision
The idea of virtualized firewall ruleset management is of course something near and dear to us here at FireMon. We have thought long and hard about virtualization in general and virtualization of security in particular. Of course this is something that we think FireMon’s product suite will have deep capabilities around, especially as more network operations move to virtual environments.
Network management in the physical world has been sorely lacking in general and security device management even worse. Frankly, this is why FireMon has been so successful. The virtual world, as Hoff tweeted, does promise some relief in this area.
But fundamentally we believe that automation using API’s and such are only part of the answer. How do you script in context? Park’s post discusses the ability to programmatically create rules, which is cool, but the framework to automate change is much bigger than technically creating the rule. What rule to create? Who has permission? What defines the rule to create? What is the process to create it? Firewall administration tools have offered user friendly ways to create rules yet corporations routinely create the wrong rules, excessive access and then ultimately fail to manage them long term.
Perhaps when it comes to managing firewall automation and firewall management, just as in the physical world, in the virtual world the ability to automate in and of itself does not necessarily solve your issues.
Don’t get me wrong, some things are logical for automation … for example, if you are using VM’s to scale, each time you bring up a new VM for the same purpose as another VM, you may want to define the exact same policy, but for the new IP of the new VM. This makes sense, is very repeatable and is perhaps the only way to achieve the security and operational goal of virtualization.
But there is a lot that has to go into security management, both physical and virtual. Here at FireMon we spend a lot of time learning and thinking about it and we see an opportunity to address some of these challenges.