Save blushes and blame with firewall policy analysis

It happens in a moment - I put my mobile down and suddenly my client is standing in front of me ready for a meeting. Two hours later I am desperately searching...

It happens in a moment - I put my mobile down and suddenly my client is standing in front of me ready for a meeting. Two hours later I am desperately searching for my phone but it's nowhere. Here I am in Dubai and my phone is gone. I need to call my provider to block it but the provider's number is in the phone. I feel totally hopeless and quite alone as my entire life is in that stupid thing, writes Calum Macleod, regional manager at Tufin Technologies.

In a similar vein, for IT security professionals all it takes is a distraction and before you know it you have disconnected your business-critical applications. One small change on the firewall or the router and suddenly your users are disconnected. If you are a service provider, just imagine the revenue loss. If you are an airline taking online bookings, or a bank, you are losing money and/or customers because of a momentary distraction.

And like my phone, recovering the situation is not necessarily that simple. Logically I could say that my phone was somewhere, but where that somewhere is, is another question. You would think that if one of your admins made a simple change to a firewall or a router you could immediately reverse the process, but in reality it is often like looking for a needle in a haystack.

Of course, someone is always looking to place the blame. My initial suspicion was that my telephone was in the "careful keeping" of one of the guys at the security desk. Frequently I hear network and security administrators complaining that as soon as something doesn't work the firewall guys are always the first to be accused even though there are many other possible points of failure - the client application, the user's PC, intermediate switches, routers, filters, load balancers and the application itself. But, because of its nature (secretive and designed to keep people out) the firewall is a prime suspect. As a firewall administrator, you are guilty until proven innocent - like my thoughts about the guys at security.

You can, of course, take the usual approach to "solving the crime". Start to analyse the firewall traffic logs. Contact the user, obtain his IP address and ask him to access the application again. Ideally, this should trigger the connection in question. Then you can review the firewall traffic logs and locate the dropped or accepted packets. How easy this is depends on the tools - unless you have a smart log browser, you may have to work with syslogs.

Enter a policy analysis tool - which is like having a video of what is actually going on. It allows you to create a policy analysis query and you see exactly where the problem is. Policy analysis will quickly determine whether the firewalls are allowing the user's traffic or not. If it turns out that the firewall is, in fact, blocking traffic, policy analysis will point you to the rule that is causing the problem as well as when it was last changed, and by whom. In fact, if there was an equivalent "Lost Phone Analysis Tool" I would have been able to identify exactly who found the phone and where they were at that exact moment.

Sometimes you happen to be in the right place at the right time and you get lucky. I highly recommend Dubai as a location in which to lose your mobile phone. After all, it is not every day that someone picks up a 16Gbyte iPhone, calls the last number dialed, drives 50km in heavy traffic, and then waits 45 minutes for someone to pick it up. And he didn't even give his name.

You just might be lucky and spot the problem on your firewall immediately, but the chances of doing so are about as slim as being in Dubai when you lose your mobile.

Read more on Antivirus, firewall and IDS products