Firewall Policy Generation and Optimization

Effective access control in distributed networks

Network security is still one of the core mitigating controls in an overall cyber risk management strategy, and it is the most effective when applied with granular network segmentation – where network firewalls (both physical and NFV devices) are able to control a large proportion of traffic in a target environment.

As network security progresses toward more granular segmentation, building actual network access policies manually becomes a nightmare, especially if network firewalls are inserted in the existing production data centers with thousands of live applications. You must have intimate knowledge about the application network needs, and the resulting access policies tend to be complex and huge and, therefore, difficult to provision and manage. The manual creation and maintenance of such policies is typically only feasible in small – or greenfield – environments.

The answer lies beyond log parsing and rule generation

NIL can help you address these challenges and deploy an approach that dynamically builds complex firewall policies. It achieves this through the capture of network metadata, and the semi-automatic generation of network access control policies. Our solution goes beyond simple log parsing and subsequent rule generation, as such a raw approach results in huge firewall rulesets, suboptimal and risky (open) rules, and the inclusion of unwanted, even harmful rules in the resulting policy.

Instead, we use the best of both worlds, combining software development and consulting experience to achieve:

  • scalability and fast deployment of the initial policy ruleset, through a software analysis package that processes network metadata (NetFlow or firewall/SIEM logs) to create a semi-optimized initial ruleset
  • rule optimality and the best compromise between minimal access and ruleset size, through extensive consultant involvement in tuning and delivering the final ruleset to in-scope devices.

A step-by-step method to the optimal ruleset

Using our firewall rule building engine, which can optimize ruleset size based on the customer environment network structure and service bundles, our engagement typically proceeds in the following phases:

  1. A deep analysis of your current risk, technology, and human environment in order to build a comprehensive customer requirements document (CRD).
  2. An expert investigation of your environment traffic patterns, especially their timing and frequency.
  3. A long period of traffic capture (depending on the environment, from one day to more than a month) that generates the network metadata dataset for analysis.
  4. A number of rule generation and optimization runs using our firewall rule building engine to build the initial firewall ruleset with the expert consultant fine-tuning the generation engine to achieve optimal results.
  5. The installation of the initial ruleset into your environment in passive, open verification mode.
  6. A verification period in which the ruleset is updated and further optimized.
  7. Transition of the firewall policy into production mode, with a default-deny stance.

Please consider that in order to minimize any service disruptions and to align with your change management procedures, this process is always customized to the specific requirements.

Simplified data center firewall policies for maximum security

Firewalls are notorious for having a suboptimal policy configuration – from stale, years old rules that are no longer needed, to rules that allow wide access and represent a critical threat to the business. OCP Group wanted to eliminate these risks and asked NIL to help them improve the network access security of their data center.

Read the case study

Why NIL?

Our approach to deploying efficient access control in complex distributed networks has the following characteristics:

Minimum disruptions
The solution is highly customizable and always tailored to your change management requirements in order to have the minimum impact on ongoing business processes.

Built on experience and expertise
We have been creating and operating complex network firewall systems for more than 25 years. This experience and skill capacity allow us to deploy the solution even in the largest environments, while avoiding the typical pitfalls.

Vendor independence
We are extremely flexible in terms of technology choice and integration options.