Athena Security’s Firewall Rule Tracker Documents Compliance

Increasing PCI-DSS stringency is a key driver for enforcing documentation integrity.

Note: ESJ’s editors carefully choose vendor-issued press releases about new or upgraded products and services. We have edited and/or condensed this release to highlight key features but make no claims as to the accuracy of the vendor's statements.

Athena Security, the developers of Athena FirePAC, an enterprise firewall audit and operations tool, has released Firewall Rule Tracker, the industry’s only asynchronous documentation solution for recording the reason why specific firewall rules exist in enterprise networks.

Firewalls are widely deployed in more than 97 percent of enterprises today, but firewall rulebases have grown at an alarming rate. The knowledge surrounding legacy rules dissipates over time, leaving enterprises with too many risky rules that remain unjustified.

The system tracks rules based on what the rule is doing rather than its line number in the configuration (which changes every time new rules are added or deleted). This is perhaps the biggest reason why documentation is often inconsistent and incomplete. Performing a textual comparison of the rule before and after it has been modified does not capture the full story, but that is the extent to what is available from most change management systems.

One of the basics of firewall rule management is to make sure that every rule that pokes a hole in the firewall’s security has been justified for a legitimate business purpose. For example, an average Cisco rulebase has an average of 1,325 rules according to researchers from the University of Notre Dame. Multiply the number of rules in a single firewall across enterprises with 10, 50, or more than 100 firewalls and the issue of frequent documentation is both a time consuming and daunting task that is easily trumped by the administrator’s need to resolve more pressing issues, such as troubleshooting network outages.

For auditors, especially PCI QSAs, reviewing the documentation for each firewall rule is an ideal place to identify lax security controls, general rulebase neglect, and other red flags that trigger the need for further investigation. Athena’s Rule Tracker recognizes that teams collaborate far more easily with spreadsheets. By using a spreadsheet approach and built-in intelligence to make the system user-friendly, Athena’s Rule Tracker is flexible enough to be used in any change process.

Rule Tracker compares two versions of a configuration and immediately identifies what changed so users can add missing documentation which is then automatically retained and available for reporting.

The Athena Firewall Rule Tracker is available immediately as a standalone tool and as an add-on solution to its FirePAC product. Pricing starts at $250/firewall. For more information, visit www.athenasecurity.net/index.html.