Firewalls are a crucial first line of defense against viruses and denial-of-service (DoS) attacks. Standing between a company's network and the Internet, firewalls scan incoming traffic for packets, domains or IP addresses that could spell trouble instead of useful communications.

But firewalls are only effective if they're well managed, and as corporations have dispersed their Internet access points, they have also dispersed their firewalls. Between your main office, branch offices, manufacturing and distribution centers and business partners, you've probably got more firewalls than you can easily manage or even track.

Firewall management includes two main tasks, says Gartner Inc. Analyst John Pescatore. The first is monitoring the traffic coming through the firewall and the configuration of the firewalls -- in other words, the types of traffic or users the firewalls should be letting in. The second task is controlling the firewalls, or changing their configurations as new threats emerge or as users are granted or lose their access rights.

There are many tools that let you do both tasks -- monitoring and controlling -- across distributed firewalls, as long as they come from the same vendor. But let's say that through a merger or a reorg you've inherited a bunch of firewalls from several different vendors. You can find tools that let you monitor this multivendor firewall environment and, in some cases, even determine if those firewalls comply with preset security policies. But there are few, if any, tools that let you do both the monitoring and fine-tuned control of firewalls from multiple vendors.

One of the most well known firewall vendors, Check Point Software Technologies Ltd., is unapologetic about providing management capabilities only for its own firewalls. "We believe strongly in our firewall and our VPN" tools, says product marketing manager Bill Jensen. He says Check Point has no plans to provide management capabilities for other vendors' firewalls and that Check Point's customers aren't demanding it.

He pooh-poohs the common practice of intentionally buying different firewalls to protect different portions of a network on the theory that hackers are less likely to find vulnerabilities in two vendors' firewalls than a single vendor's firewall at the same time. But since information about firewall weaknesses zips around the Internet at the speed of light, says Jensen, hackers probably learn about the weaknesses in all firewalls at the same time. "You've not added much in the way of security, but you've just (increased) your management costs," he says.

For its own firewalls, Checkpoint last summer introduced its Next Generation User Interface, which includes a Visual Policy Editor that allows security managers to visualize the effect changes in security rules have on the network, says Jensen. It also allows administrators to manage the firewall and VPN capabilities of Checkpoint's tools through a single interface, a trend many other security vendors are following.

Another industry leader, WatchGuard Technologies Inc., offers central consoles for managing its own distributed firewalls. But a spokesman says he doubts there will ever be a single console for managing multivendor firewalls, "since vendors have proprietary interfaces and are right now showing little inclination to establish a common standard."

Where's the wheel?
For multivendor environments, says Pescatore, the best you'll probably find is a "security dashboard," which lets you see what is happening on the various firewalls. "But it's not a security steering wheel" that lets you make changes if you see a new threat coming, he says.

PentaSafe Security Technologies Inc.'s VigilEnt Security Agent for VPN-1/FireWall-1 (which also requires the VigilEnt Security Manager) provides monitoring only for Checkpoint's VPN/firewall product. OpenService Inc.'s SystemWatch Security Agent filters and analyzes information from Checkpoint's Firewall-1/VPN-1 and Axent's Raptor, among other security tools, but offers only limited control capabilities. NetIQ Corp.'s Security Manager provides monitoring and log consolidation from various network devices, but focuses more on ensuring those devices comply with established security rules than allowing for fine-grained management of components such as firewalls.

One option is outsourcing firewall management to a managed security service provider, which may have built proprietary tools to handle such disparate environments. Outsourcing can be a good option for customers who need 24/7 monitoring and are too small to afford their own full-time management staffs, observers say. Depending on the size of the network to be protected, such a service may cost only $50,000-75,000 per year, says Pescatore, far less than the cost of even a single full-time staffer with benefits.

At least one vendor, though, is taking on the task of monitoring and controlling multivendor firewalls through a single console. Ponte Communications Inc. writes to the APIs (application programming interfaces) of different vendor's firewalls (as well as VPNs, routers and other network devices) to control them through a single console. Ponte nsControl platform consists of control server software running on a Sun Microsystems Inc. Solaris server that stores the information needed to manage network security and network control point software running on Intel-based hardware around the network to deliver necessary changes to local devices.

For example, if a network manager wanted to shut down Telnet access to its servers through both CheckPoint and Cisco Systems Inc. firewalls, says Pescatore, he could do that with a single command through the Ponte platform without having to log into both firewalls.

The downside to this approach, he says, is that management vendors need to update their products whenever any device vendor changes their APIs. He sees such control capabilities eventually being built into wider network or application management tools from larger vendors such as IBM, Hewlett-Packard Co. or BMC Software Inc., which can force the device vendors to write to their APIs, not the other way around.

About the author
Robert L. Scheier writes frequently about security issues from Boylston, Mass. He can be reached at rscheier@charter.net.