For an enterprise firewall you may have over 50 thousand rules. With typical errors in firewall rules including things like mistyped network masks you couldn't hope to manually review the release.
So what tools are available? Free or otherwise.
For an enterprise firewall you may have over 50 thousand rules. With typical errors in firewall rules including things like mistyped network masks you couldn't hope to manually review the release.
So what tools are available? Free or otherwise.
Tufin and Firemon are the major players here. I do not have experience with Firemon, but Tufin makes a solid product. (I do not hold financial interest in Tufin, but am a customer).
Check out AlgoSec and Lumeta to see if their products will do what you want.
Disclosure: I have no personal experience with these vendors, nor do I have any financial relationship with them.
You might also want to check out this question, which seems related.
While not exactly a tool, something that might prove useful is using aliases(like words) for network names/masks/sections. Then replacing them with the correct ones in a shell script. More commonly, in my opinion, would be cisco devices that used named acls for meaningful chunks and assembling the ACLs into a massive ruleset. It could make it a little harder to troubleshoot manually, but each subsection not being modified when you add/remove a rule might help you zero in on errors. Just a thought.
I've used both Tufin and Firemon and am familiar with AlgoSec.
Tufin is a great product, but it's very much the same as it was years ago. Little has been done in the way of R&D.
When I looked at AlgoSec, it was too bulky for what I was looking for. Imagine Arcsight for Firewall Management - Great product, but required a great deal of tuning.
When I originally looked at Firemon about 4 years ago, I was not a fan. Today, I've replaced all of our firewall management tools (Tufin, Eventia) with Firemon. It offers the core products that all tools in this space do - Auditing, Rule Usage Statistics, etc. and it has a really great workflow piece. For example, an end user makes a FW Rule Request and then you can use the tool to figure out if the rule already exists and if not where you should put the rule - IE A similar rule exists with the same Destination and Service so you can just add a host to the Source.
So Algosec, Tufin and Firemon should all get the job done it's just a matter of what fits your needs best. I found Firemon to be the best tool today.
I'm slightly familiar with Tufin, albeit more with the company than working with the product.
I can't really speak from experience, but supposedly their SecureTrack product helps manage large rulesets.
(Yes, it is commercial, and not free...)
TFX from terreActive is used by a lot of big players in Switzerland. I can't tell you which ones actually use it, but the list of customers should give you an idea of the level we're working at.
Disclaimer: I work there.
Matasano makes a product called playbook that's built for managing large rulesets over large deployments of firewalls.
Disclaimer: I know I just mentioned Thomas Ptacek in my last answer, but I've got no financial interest in his company; I just think (despite the hack) that they're generally pretty good at what they do.