Myself and one other indivdual will be taking over some of the daily firewall management duties soon and I'm looking for a way to track changes on our firewall configurations for auditing purposes and need some ideas on a good way to track changes the changes that are made.
I don't have a lot of specific criteria but here are some of the basic things I would like to be able to do:
- Access to previous revisions of firewall configs
- Access to changes made and by whom
- When specific changes were made
I'm wondering if some sort of revision control software would work here as a way to track the the changes? Or if some other approach would work better for managing the change control in this situation.
I'm open to any and all suggestions at this point.
EDIT:
We are using a Checkpoint pair, one passive one active configuration. I will update again with specific model numbers when I get a chance.
There is actual an article today at Resources.infosecinstitute.com that talks about firewall auditing. While I know this isn't exactly what you were asking for, there are some tools towards the bottom that they reference that may help you out.
While both of those are paid for products, you could use your own in house solution with some basic scripts. RANCID basically does diffs of various config files. Since Checkpoint supports the backing up of the config in text format, you can schedule this and then have a basic script that diffs the results and shows you the differences. Along with that, you can simply pull the audit logs to tie together who made the changes when diffs occurred.
Another option (paid for product) is AlgoSec Security Management Suite, which was just given 5 out of 5 stars in a SC Magazine product review - http://www.scmagazine.com/algosec-security--management-suite/review/3666/. This Suite consists of two products - AlgoSec Firewall Analyzer and AlgoSec FireFlow. AlgoSec Firewall Analyzer analyzes firewall policies and tracks changes to the policies per your requirements.
This may go beyond what you are looking for at this point, but additionally it identifies risky rules (based on industry standards such as NIST, PCI, etc.), opportunities to optimize policies (i.e. identify unused rules, provide recommendations to reorder rules, etc.), tighten overly permissive rules (i.e. ANY Source, Dest), track changes and automate compliance audits for PCI, NERC CIP, SOX, and others. AlgoSec FireFlow takes the analysis from the Firewall Analyzer and automates the entire change workflow (it can integrate with an existing ticketing system and provides the underlying intelligence as far as impact of change, where to make the change, etc.).
Here's a link to the product information if you are interested in learning more: http://www.algosec.com/en/products/products_overview
Good luck!
*Disclaimer - I work for AlgoSec
We have a policy, if you update a device config, then you save a copy of the config in plain text in our Subversion (SVN) repositry.
One of the really great things about this is that SVN can be configured to email out diffs of each checkin, so if I add a rule to a firewall, everyone else who needs to know gets a copy of the changes I made.