Optimization of traffic filtering on NGFW Firewalls
A firewall is a basic element of corporate data protection. Its role is to allow or block traffic, which is based on filters set on individual ports.
The problem arises when the Firewall configuration gets out of hand. Most often, this is a situation that results from the lack of proper hygiene at work, often associated with a significant burden on IT departments. Engineers overwrite old rules with new ones and do not update the rule base after completing projects.
Companies invest in high-quality IT equipment, but they often forget that the equipment itself does not guarantee either security or proper operation. What we most often observe during audits, even in large and well-known companies, is poorly configured edge devices such as UTM, NGFW and a lack of access policy management.
– Jakub Fabiś, Head of Sales, Grandmetric
Client
Services
The client’s systems are tightly secured
The rules we created for NGFW are universal and can be used in the case of migration to another solution
The client uses a convenient dashboard, independent of the manufacturer and visualizing how NGFW filters network traffic
Many years of negligence at a global beverage producer meant that engineers did not know which of the rules stored on the ports were up-to-date and in use, and thus they could not determine which way or where the traffic was led. Such a mess made it much more difficult to oversee traffic and assess whether the firewall was properly filtering traffic throughout the organization.
Our client decided to tidy up the configuration of his NGFW devices to make it easier for engineers to troubleshoot network traffic.
Our task was to understand how current Fortigate clusters were configured, and which rules are valid and which are not used. Then we organized and visualized the traffic thanks to the automation of flows between individual interfaces and security zones written by our team.
We started with a detailed analysis of needs and an audit of the current configuration. We took a sample of network traffic from the whole week and based on it we prepared basic traffic control rules.
The client did not know how their Fortigate were filtering traffic. In order to analyze which interfaces are used, between which interfaces there is a flow and to determine its volume, we have built our own analysis tool. For this purpose, we used the Elastic Stack (Elasticsearch and Kibana), which based on the data provided to it (source, destination, ports, VLANs) created an appropriate flow diagram (Sankey diagram).
We were aware that incorrectly constructed rules affect the operation of the factory, e.g. they may cause computers to lose the ability to supervise machines in the production hall. That’s why we worked in the windows when the machines were down. New rules were added at the top, thanks to which we could unambiguously verify their correctness using packet and session counters that met the rule (so-called hit count).
After recognizing your situation, we will select an engineer who, during a free consultation, will advise what you can do to strengthen security in the area you are interested in.
Piotr Nejman, Business Development Manager, Grandmetric