Making policy management effective is not an easy task for large enterprise environments. There are several reasons for effective policy change management in large multi-vendor networks. The first reason is surely having a multi-vendor environment, the second issue is that the written materials are obsolete or missing. Apart from these the number of policies and firewall devices are too high. In this post we will deep dive on these issues and how to cope with them in detail.
Generally, large enterprises especially operating globally have firewall devices belonging to different vendors and at least two or three vendors exist in their networks. The reason behind working with several different vendors may come from regulations, security politics, local needs or abilities and procurement strategies. It is a widespread choice and there may also other reasons however, we will not deal with these. This causes increasing the challenge for policy management. First of all, If you have different firewall vendors in your network you need to train your employees for each of them or need to hire new people to your team. Also, there will be no central management of this equipment. Each vendor has a different central management software. The cost and complexity of central management will increase if you are using central manager software. Finally, standardization may be a problem since different vendors have different capabilities and different approaches, so you may need to define more general use cases or policies that would be applicable for each vendor. To be more specific it is needed to have similar and lower number of vendors for this standardization.
As to written materials and guidelines. Large enterprises may have several different documents or guidelines for their networks, servers, applications and databases. However, in most of the cases the written materials are obsolete. They are written when they are first installed or created and afterwards updates are not done for all of the materials. In that case, when a change needed the materials may not be sufficient to use. For example a new application server is to be installed for an already installed server farm. For this server to correctly work the security policies need to be applied. The application team may not open a ticket for the required policies since he or she does not know the necessities and there is no written material. In that case firewall admin will need to find the necessary policies to be applied, but it is not an easy task and requires a lot of effort. There will be similar other cases that will need effort, and this will increase the challenge for effective policy management.
Lastly, for large environments the number of policies and devices is generally high. Any new policy to be applied may need to flow over at least two different firewalls. Also, since the number of policies is high examination or analysis of the firewall become more difficult. It may take weeks to analyze the policy tables on firewalls.
To sum up, in large enterprises there are several reasons that increase the complexity and challenge for policy change management. It may be a good idea to use an easy to use and stable NSPM solution for an effective policy management in a large multi-vendor network.