IPAM: the Foundation for Efficient Firewall Management

1 August 2017

Back in the old days, ensuring security of your network was simple. All you had to worry about were the common ports: FTP, SMTP, HTTP and HTTPS. You’d keep the ports you were using open, and block everything else, filtering the traffic on allowed services.

However, in today’s complex, heterogeneous IT environment, security policies must now be extended across all platforms: physical/virtual and cloud. In particular, they need to be maintained for all the different multi-vendor firewalls your company uses.

Over the past couple of decades, the firewall itself has evolved from the port-based keeper of the network into a next generation firewall that is application aware. Filtering rules are defined in each firewall to control access to a company’s applications and services. These firewall security rules are deeply dependent on the IP addressing plan structure implemented, which can thus be viewed as a foundation for accurate, consistent and efficient firewall management.  

Misconfigurations, Conflicts and Security Breaches

Today’s networks security may well leverage multiple firewalls, most likely from different vendors and spread across various locations and managed by different organizations/teams. In addition, company fusions and acquisitions may well have added to the huge complexity related to filtering policies. Consequently, keeping the filtering rules up to date for all these firewalls has become both extremely time-consuming and very prone to misconfigurations.

In some cases, the rules base of a firewall becomes so complex and unmanageable that when implementing a new rule, the administrator does not realize it conflicts with an already existing one. This could effectively negate the new rule as the firewall implements instructions based on the principle of first match in network traffic.

As proven each year, misconfigurations are also an important source of vulnerabilities that open the door to data breaches from corporations. It is fairly commonplace to see a firewall with hundreds of rules, many of which have become obsolete or no longer serve their original purpose. This fuels a neglectful mind-set regarding firewall security as unused rules can potentially lead to malicious attacks. For example, imagine a port being opened to allow HTTPS traffic to flow between a device and a cloud application, but over time that device being abandoned.  If the organization has not implemented an IP management solution to deprovision all related IP resources (addresses, DNS names, DHCP reservations)  in a timely manner, a malicious attacker could discover the opening and use it to access confidential information. Businesses who ignore methodologies and tools to help strengthen network security therefore risk the drastic consequences of breaches.

The Holy Grail – Centralization and Automation

The most efficient way to help overcome the difficulties associated with ensuring consistent, accurate rules across all your firewalls is to centralize storage of the relevant information. Because an IP Address Management (IPAM) solution contains structured information well beyond networks, subnets and IP addresses (e.g. location, security level, department …), it is an obvious, valuable referential from which to build filtering rules. The IP Plan provides global visibility and helps you to define filtering policies in order to control access to your company’s applications and services. These policies can therefore be used to construct the actual ruleset deployed on all your firewalls.

In addition, the actual procedure for distributing updated rules across all firewalls could be made significantly less time-consuming via automation. Typically, this would be achieved by incorporating a third-party solution to access IP Plan data via APIs. For example, the Tufin solution can easily integrate to the EfficientIP IPAM solution, to provide seamless rollout of firewall rules throughout a company’s infrastructure.

As well as the tremendous time saving this brings, firewalls are kept up to date in near real time, security is ensured, and potential of misconfiguration of filtering rules is eliminated.

Maximizing Your Investment using Best-of-Breed

Advanced IPAM solutions offer an open, specialized database, allowing easy retrieval of data to help build filtering policies. However, the leading solutions also offer additional functions which take simplification & functionality of security filtering to another level. Some example functions, such as those offered by EfficientIP, include :

  1. Security association of IP objects with services, via storage of metadata that can be leveraged for tagging resources’ security levels. These security levels (e.g. red, orange & green) are assigned to each object and each application/service. Comparing the security level of the object’s tag with that of the application/service then determines the access permission of an object e.g. if service being accessed is “web” and the level of the object trying to access the service is “green”, the result will be “open HTTPS”.
  2. Hierarchical control of security levels for devices, via enforcement of policies. For example, if the administrator assigns security level 3 at the top level of a network, all subnets in this network will be assigned level 3. This allows high-level, centralized security control of networks.
  3. Centralized identification of malicious devices. An IP address detected by a firewall as being malicious can be flagged in the IPAM, which will then instruct all security equipment in the network to quarantine the relevant device.
  4. Multi-tenancy support, which allows, from a single IPAM system, management of IP Plans belonging to multiple customers, resulting in significant cost savings for customers.  The data from the IP Plans can be used to determine the filtering rules for their firewalls in the same manner as previously described above. Firewall Management – Made Simple and Efficient

IPAM is often regarded as a simple repository for IP resource management. In reality, it is far more than just a storage mechanism. Used as a central control point, IPAM is an authoritative source of information, providing valuable insight to enable informed management and security decisions for all your firewalls, and potentially across your entire network infrastructure.

To learn about best practices for IPAM, take a look at our whitepaper by clicking here