AlgoSec Security. Visibility. Governance
   
 
Overview
Policy Optimization
Rule & Object Cleanup
Risk Management
Change Management
Cisco PIX to ASA Migration
Server IP Migration
Automated Audit
Managed Services
Security Compliance
Flash Demos
White Papers
 

Policy Optimization

Enterprises have hundreds if not thousands of firewall rules and objects and they just keep changing and growing. As the first and continued line of defense this constant flux decreases the firewall’s performance while increasing an enterprise’s potential exposure to security breaches.

Identifying Potential Rules for Removal
In addition to some rules becoming obsolete, there are unused, duplicated, covered and other rules that contribute to a bloated and inefficient firewall infrastructure.

Identifying and Tracking Changing Rule Numbers
Every rule has an internal unique identifier (UID) which is used to match traffic logs with corresponding rules. AFA identifies and tracks these UIDs to ensure that even as rule numbers change over time, Rule, Object and NAT usage reports remain accurate.

Identifying Rules to be Re-Ordered for Optimization
The AlgoSec Firewall Analyzer’s (AFA) patent pending Intelligent Rule Re-Ordering provides recommendations for re-ordering rules to improve an enterprise’s firewall performance – while taking the firewall’s actions into account to ensure that the policy decisions are preserved.

The AFA recommendations offer the firewall administrator a new position for rules to optimize performance. The administrator can decide whether to move the rule to its exact new recommended position or to another position in the same area that maintains the filtering logic, while keeping blocks of rules intact.

In order to provide a measurable attribute for firewall performance that will demonstrate the improvement of the policy optimization, AlgoSec defined a new metric called Rules Matched Per Packet (RMPP). RMPP is a calculation of the average number of rules the firewall tested until it reached the rule that matched a packet (including the matched rule).

Firewalls do in fact test the rules in sequence, one after another, until they reach the matching rule, and each tested rule contributes to the firewall’s CPU utilization. Therefore, optimizing the policy to decrease the RMPP score will decrease the firewall CPU utilization and greatly improve overall performance.

The AFA Intelligent Rule Re-ordering feature provides recommendations for the optimized position per each rule based on the current traffic mix as seen in the firewall logs.

Implementing the AFA computed optimal rule order in a policy consisting of hundreds of rules may not be feasible. To address this common situation, AFA offers a top-10 list. This list is comprised of the 10 rule-relocation recommendations which provide the greatest improvement.

Although the AFA provides recommendations on new positions for each rule, in many cases a handful of rule relocations are sufficient to produce a dramatic drop in RMPP, significantly increasing performance. Often moving only a single rule which is not among the top used, but is located low in the firewall policy, will provide the greatest value. AFA Intelligent Rule Re-ordering will help to achieve the maximal outcome for the minimal investment.

For more information on optimizing your rule base read our White Paper on Firewall Rule Cleanup



AlgoSec’s Firewall Analyzer is a must have for anyone who manages a rule set of 100 or more.


Network World Magazine



By creating FireFlow using the AFA engine, AlgoSec has effectively created a solution that can automate the entire network security lifecycle...


Frost & Sullivan Analyst



We quickly saw a clear return on our investment with the AlgoSec Firewall Analyzer...


Anton Spitzer,
Infrastructure Services, Porsche Informatik



The AFA allows us to get all of our firewall information in one place, providing IT Governance and visibility where it did not exist.


Anton Spitzer,
Infrastructure Services, Porsche Informatik



Network security VARs, take note: AlgoSec’s FireFlow network policy change workflow management software is the next hot-ticket item for customers.


eWeek Magazine



The AlgoSec Firewall Analyzer fills a critical need for us by automating what was a manual, labor intensive and error prone process.


Anton Spitzer,
Infrastructure Services, Porsche Informatik



By utilizing AFA we no longer require the services of an external source to perform an audit.


Ruza Manojilovic,
Manager Security Operations Teranet



It (AFA) easily and quickly provided Atos Worldline with the ability to understand, track and verify changes to our firewall infrastructure…


Massoud Kamran,
Security Consultant at Atos Worldline Belgium



AlgoSec Firewall Analyzer’s automated and intelligent analysis lets us know the implications of a change and avoid potential risks which save us time, effort and money.


Peter Johannes,
head of Security and Architecture Policy at Atos Worldline Belgium



AlgoSec’s Firewall Analyzer has helped us significantly improve our overall network security.


Ruza Manojilovic,
Manager Security Operations Teranet



Using AFA’s turnkey solution for PCI DSS has been invaluable for us in terms of time and effort.


Ruza Manojilovic,
Manager Security Operations Teranet



By utilizing AFA we no longer require the services of an external source to perform an audit.


Ruza Manojilovic,
Manager Security Operations Teranet.



With the AFA we can focus on what is most important to Porsche Informatik – our customers.


Anton Spitzer,
Infrastructure Services, Porsche Informatik



AlgoSec affords us realizing operational efficiencies in global security policy management and compliance.


Hugo Van der Veeken,
Atos Worldline SA/NVsecurity department head