FireMon Security Manager Fact Sheet

(1)

FireMon Security Manager Fact Sheet

Introduction to FireMon Security Manager

FireMon® Security Manager is software that helps you manage your firewalls. FireMon reports on any changes to the firewall policy, increasing visibility and reducing the cost of making changes. It will show you which of your rules are unused and how traffic flows through each rule, letting you clean up unnecessary access and tighten down existing rules. And, with continued, automated analysis of things like PCI and NSA guidelines, FireMon will greatly improve your compliance posture. It'll even help you with security management on other devices in the enterprise, like routers and load balancers.

THE BOTTOM LINE? FireMon will strengthen your overall security posture and help you manage your security devices better so you can provide better service to your users at a lower cost

Software that Monitors

FireMon monitors network devices, collecting the configurations, audit trail information, and logs when changes happen. You can install it in minutes and quickly configure your devices to communicate with it. The architecture scales to monitor thousands of devices and it has built-in redundancy to ensure

monitoring is always available.

Control Change

Configuration changes are going to happen. And to be in control of them, you need a change

management process that consistently works providing immediate access to change justification, and clear communication channels. FireMon Security Manager can help you take control.

Improve Your Firewall Policies

Rules and objects are added to firewall policies by the thousands. Never-ending streams of new access requests ask that more be created. And what happens? Policies grow large, they become complex, and complexity makes your job even harder. FireMon offers several tools that address policy size and complexity so that you can clean up your policies.

Enforce Compliance

Ensuring compliance for the firewall is difficult and costly. Most regulations and frameworks require timely auditing for an optimal security posture, as well as justification that all access is necessary — all while you plan and make changes to the firewall. These are tedious, ongoing tasks. And the key to enforcing compliance is to automate them.

(3)

Architecture

 FireMon may be deployed in either a unified or distributed fashion.

 FireMon software installation consists of an Application Server and Database, and one or more Data Collectors. A Data Collector monitors network devices (such as a firewall), and retrieves configurations as well as usage data. This data is passed to an Application Server. FireMon uses the CentOS Linux operating system which is binary compatible with Red Hat Enterprise Linux (RHEL). Both 32bit and 64bit versions are supported on the SPX appliance family.

 The Application Server controls one or more Data Collectors, stores data from those Data Collectors in the Database, and makes that data available to the FireMon Graphical User Interface (GUI). The FireMon GUI resides on the desktop of every FireMon user.

 The Application Server, Database and Data Collector can reside on a single FireMon SPX purpose built appliance. Or, for geographic or scalability reasons, multiple Data Collectors can be

deployed on separate appliances. All SPX appliances are integrated into your network with minimal configuration. Optionally, FireMon may be installed on user supplied hardware if desired.

 The FireMon Data Collector may reside on the same platform as the FireMon Application Server or reside separately on its own platform. You can essentially have any number FireMon Data Collectors reporting back to a central FireMon Application Server providing a centralized view for the entire monitored security infrastructure. The ability to separate the FireMon DC from the FireMon Application Server adds extreme scalability and resiliency. There is no licensing cost associated to the FireMon Data Collector.

 Through this architecture, FireMon directly addresses scalability and performance through the addition of new data collectors to monitor remote or numerous devices.

 The number of devices a single FireMon Data Collector is capable of supporting is largely a function of the number of configuration changes, the size of the configurations, and the amount of time necessary to keep configuration revisions balanced against the storage space of the application server and the number of Data Collectors deployed.

 A good estimate based on FireMon practical experience is approximately 300 devices per FireMon Data Collector instance.

(4)

 There is no set limit on the number of total devices a single FireMon Application Server can support with multiple FireMon Data Collectors. Ability to monitor thousands of devices from a single application server.

 Distributed Architecture-allows user to separate FireMon components to spread across multiple geographical areas to reduce traffic across the WAN.

 Graphical User Interface is a thick client which results in increased security and lock down of information. Ex. Security policy cannot be pulled up and displayed on a public kiosk.

 All communication among various FireMon components and monitored devices is secured.

Change Management

 Changes monitored and presented in REAL-TIME: FireMon alerts on change as soon as detected by monitoring SYSLOG or vendor specific API logging traffic from the end enforcement point or responsible management platform.

 FireMon is capable of accepting a redirected, forwarded, or reflected SYSLOG data stream from a SYSLOG logging aggregation point.

 Changes are shown graphically in a policy overlay format. The changes are color coded and marked with icons so that changes are immediately noticed without having to scroll and search down two different policy screens. There are also filters provided to eliminate unchanged items from view leaving only the most relevant information to review.

 Policy Test enables you to create a data model “what if scenario” that can be executed against a given policy allowing you to locate rules that match a specific source, destination and service combination without "testing" the traffic live. Policy Tests may be created with a pass or fail criteria. In addition to being a very effective operational feature for quickly searching specific pattern matching of a policy, Policy Test is an excellent dynamic audit feature that can be used to create business continuity checks that ensure immediate notification if certain “business critical” rules are modified or impacted by higher level rule modifications that would represent an impact to service.

 Real-time email notification and alerts in addition to scheduled reporting for all changes made to security devices. Formats include: html, .pdf, xml, xls and comma-delimited or tab delimited outputs.

 Real-time alerts on-demand for policy change is a function of FireMon. Both email and SYSLOG alerting are supported.

 FireMon fully supports policy comparisons that clearly indicate change to both rules and objects. This capability is offered directly via the GUI interface or via report generation.

 Rule recommendation from within GUI which analyzes the current policy and shows if and where a new rule should be placed. Will also tell user if rule already exists or if a current rule can be modified to take care of the request.

(5)

 Platform and OS changes are captured in the same fashion as the policy information. Ex: IPSO, Crossbeam, SPLAT and others.

Policy Cleanup & Optimization

 Reduce Policy Complexity, Track Rule Usage, Enable Policy Optimization

 Complete detailed rule and object usage available via the GUI interface or via report generation.

 Reports on unused rules and objects provide the necessary visibility to clean up and optimize a given policy.

 Reports on shadowed rules or duplicate rules with clear actionable details that indicate the portion of the rules that causes the redundancy.

 Provide a histogram (graphical display) on rule and object usage including NAT rules.

 Unlimited log history period for historical usage data storage.

 Overly Permissive Rules - FireMon includes a “Traffic Flow Analysis” feature that will show unique traffic patterns that exist in a rule and clearly report on what data is flowing across a broadly defined address range. This includes showing what traffic is flowing across the use of “ANY” in a source, destination, or service field.

Business Continuity Policy Verification

 Policy Test is an excellent dynamic audit feature that can be used to create business continuity checks that ensure immediate notification if certain “business critical” rules are modified or impacted by higher level rule modifications that would represent an impact to service. Policy

Test verifies connectivity through a firewall. You define the traffic model and the expected

behavior, and FireMon shows you how the policy acts upon the traffic. Does the policy support the expected behavior of the defined traffic model or does it produce results that would cause the policy to fall out of expect boundaries. For example, you can find which rule in policy allows communication that was previously denied or denies communication that was previously allowed. Route awareness option; if routing data is available for the device, FireMon can use that information to test only the policies on the device that hit the traffic. FireMon provides results for the firewall and its operating system.

(6)

Rule Documentation

 Provisions for complete rule history documentation including business owner, approver, ticket number (3rd party (such as Remedy) or integrated solution), requester, business justification, and expiration or review date of every rule.

 Audit Change Log – This feature captures and records the detail of every change event in the context of the firewall policy. It appears in the GUI as a collection of incremental policy comparisons at the rule, object and policy level that is updated in real time as revisions are retrieved. This provides the ability to produce detailed level report generation on the “life history” rule and object changes in a policy. Rule Change audit log that can contextually show the “life history” of a rule by simply clicking on it within FireMon. Also available as a scheduled or on demand report.

 Populate rule documentation information via comments field, 3rd party ticketing systems or integrated ticketing system.

 Complete two-way information exchange available between FireMon and 3rd_{party ticketing}

system available via professional services engagement.

 Ability to report on all data associated with rule documentation.

Risk Analysis

 Service Risk Analysis (SRA) – A FireMon feature which is comprised of a Service Risk Analysis Check and an Audit Report. When you create an SRA check, you define when a service should be considered risky, and you assign a level of risk to that scenario. Then FireMon evaluates your policies against those defined scenarios and produces an assessment of risk in an Audit Report. Service Risk Analysis audits can be automatically executed when a new policy change is detected and evaluate the new policy for the use of risky services. In this way FireMon can help place you in a continual compliance posture evaluating change real-time as it happens.

 Ability to feed external threat lists into FireMon to report on where your vulnerabilities are along with their threat levels.

 Firewall traffic flow analysis - Analyze any traffic the firewall may encounter (all possible SOURCE, DEST, SERVICE including groups). Provides extensive traffic flow analysis that may be used for risk analysis, risk avoidance, risk remediation, network analysis and policy optimization.

 Detect configuration mistakes from security zone definitions and highlight mis-configuration.

(7)

FireMon Security Manager Devices Dashboard

FireMon Devices Dashboard provides “at-a-glance” views of trending information across all devices in Security Manager. This information is automatically available in the Security Manager

Dashboard, no setup is required.

The FireMon Devices Dashboard provides the following list of expanding information windows.

 Yesterday's Firewall Activity

 Firewall Complexity

 Recent Device Changes

 Changes by Device Type

 Total Unused Rule Count

 FireMon News

 Welcome

Reporting and Compliance Audits

 Customized reporting architecture that allows users to extract hundreds of custom report options in addition to the standard “canned” reports.

 FireMon Security Manager includes a library configurable audit checks called “Extensions”. These are audit checks that help ensure your policies are in line with industry standard best practices or checks that you have created on your own. Most FireMon extensions include configurable parameters that are easily modified by selecting available options within the extension configuration screen from simple drop down boxes or by directly entering data in a field that may represent a particular value you expect to see in a policy or configuration.

Extension can be automatically executed when a new policy change is detected and evaluate the new policy against the values of the Extension. In this way FireMon can help place you in a continual compliance posture evaluating change Real-Time as it happens.

 Online Community for “Extension” sharing and collaboration. FireMon regularly makes new “Extensions” available via our online Nexus community. FireMon Nexus is an online community where engineers can find, download, review and even publish extensions for FireMon. It is also a space where engineers can share their ideas and collaborate on how to address common problems of emerging threats, technology solutions and ideas for new FireMon extensions to help better manage their security. http://nexus.firemon.com

 FireMon has the capability to automate and schedule report delivery to various users or groups.

 Canned reports on rule usage, change management, compliance and many others.

 PCI DSS 1.2 – Continual compliance reporting ability against the PCI DSS 1.2 requirement.

(8)

(9)

FireMon GUI Reports Dashboard Listing

Usage

 Firewall Traffic Flow Analysis  Object Usage Report

 Rule Usage Report  Top Rule Report

Compliance

 Audit Report Scheduler  PCI DSS Report

Analysis Reports

 Allowed Services Report  Hidden Rules Report

 Daily Firewall Activity Report  Weekly Firewall Activity Report  Object Consistency Report  Policy Test Report

 Firewall Complexity Report  HA Consistency Report  Rule Recommendation Report

Documentation Reports

 Change Control Report  Expired Rules Report

Change Reports

 Change Report  Current Policy Report  Policy History Report  Revision Summary Report

Check Reports

 Device Inventory Report  NSA Router Security Report

(10)

Integrated Firewall Workflow – Policy Planner

 Any change management tool can guide administrators through a change process. FireMon’s Policy Planner helps ensure that the change is correctly designed, implemented and verified. Policy Planner is a firewall change request and change management system that enables firewall administrators to manage changes to the firewall, from the initial access request to solution design, through implementation and verification. Because it integrates directly with FireMon, Policy Planner incorporates FireMon features that help users make correct, effective changes.

 Rule Recommendation - As an example Policy Planner can prevent possible rule redundancy, or identify if similar access exists to help leverage modification of an existing rule before creating a new one. Further, Policy Planner can make rule placement recommendations to ensure a rule is not placed in a position where a higher level rule (stealth rule) may block the intended access thus causing unnecessary overhead to troubleshoot why the newly added rule is not working.

 Support for multiple inputs of source, destination, and services  Prevent rule redundancy

 Identify if similar access exists  Indicate proper rule placement

 Policy and Rule Documentation - As a result of Policy Planners tight integration with FireMon the key documentation elements contained in the ticket request can be automatically added as supporting rule documentation in the context of the policy stored on FireMon.

 Multiple Changes - Policy Planner supports multiple rule requirements in a single ticket

 Route Intelligence – Option to analyze available route data to determine which policies are affected by proposed new rule addition(s).

 Include Attachments – Option to include any required supporting documentation.

 Workflow Operations – 1) Reject requests, 2) update information, 3) assign or reassign ticket, 4) request additional information from requestor, 5) Request Redesign

 Role Based Permissions – Assign permissions for designers, reviewers, implementers, verifiers.

(11)

Administration

 The FireMon GUI client operation provides very granular role based administration. Users are assigned to user groups and only the monitored devices (and associated stored policies) granted access within that user group’s attributes are visible. Additional user group attributes that control specific operational aspects of the FireMon GUI client are also present. As an example a user may be granted read-only operational control or only allowed to run audit reports but no ability to modify tasks or view event logs.

 FireMon provides both RADIUS and LDAP methods of authentication for FireMon GUI access to the FireMon Application Server. For RADIUS; CHAP, EAPMD5, MSCHAPv1, MSCHAPv2, and PAP or supported. For LDAP SSL is used.

 MSSP model available

 Online community & forum for the exchange of certified custom reports, extension checks and audits to enhance the compliance and reporting initiatives of FireMon users.

Security

 FireMon provides compression and encryption for the data contained in the FireMon database.

 All communication between the FireMon GUI Client and FireMon Application Server and all communication between the FireMon Application Server and FireMon Data Collector is done so securely using encrypted standards. Communication from the FireMon Data Collector to the managed device is accomplished securely.

Backup and Restore

 Completely automated system backup process.

 Backup process creates and stores a single system image that can be used to fully recover from a catastrophic hardware failure.

 Provision for storing backup image archives either local or remote.

(12)

Platform Watchdog

 The FireMon “Watchdog” daemon is designed to monitor key operational aspects of the FireMon system. Watchdog will log and send an email alert when certain events occur or specific thresholds are reached or exceeded.

 Disk Volume Usage Threshold %  Crash Data Storage Disk Threshold %  FireMon Application Server Process  FireMon Data Collector Process  FireMon Database Process  Raid Disk Controller Events  TCP Connection Monitor

 Additionally, it is also possible to leverage an SNMP agent for monitoring of the FireMon Application Server and Data Collector platform if desired.

Device Support

 Check Point R62 – R75, NGX, P1, VSX, SplatOS, Crossbeam, Nokia IPSO,

 Cisco-PIX, ASA, FWSM, IOS cisco routers, cisco switches

 Juniper – JunOS, SRX, ScreenOS

 McAfee (Sidewinder)

 F5-Big IP – LTM and GTM

 Generic adaptor that support all ziptie devices

 Palo Alto (Q2/2011)

SPX Purpose Built Appliance Platforms

 Developed and tested by FireMon, the creators of FireMon® Security Manager, the SPX family of appliances are purpose-built to run Security Manager in your environment. Whether you’re monitoring 100 devices or 1,000, on one continent or around the world, we offer an SPX appliance with the power and storage capacity to meet Security Manager’s performance demands and your organization’s data archival needs.

 Quick initial setup

 Pre-Hardened LINUX based O/S

 Complete CLI for appliance management  Scalable, Expandable, SSD and High Speed fault

(13)

REQUEST A DEMO!

Want To See A Live Demonstration Of Firemon Security Manager?

Web-based demonstrations of FireMon Security Manager are a great way to see the tool in action and an excellent forum to ask our engineers questions.

 To schedule one, visit our website and select the “Demo FireMon” tab in the top right corner or you may contact us at [email protected].

 If you would rather see a recorded demo, simply visit our site and select “Security Manager Overview” at the top left of the page.

FireMon Security Manager Fact Sheet