AlgoSec Closing the Gap Between Application Deployment and Network Firewall Policy
The way that many enterprises are structured, the people the roll out new applications are often not the same people that set or configure network policy.
The way that many enterprises are structured, the people that roll out new applications are often not the same people that set or configure network policy. It's a gap that firewall policy vendor AlgoSec is now trying to solve with its BusinessFlow technology.
Modern applications connect to multiple servers and services and proper network security policies need to be in place.
Avishai Wool, CTO of AlgoSec explained to EnterpriseNetworkingPlanet that the people that own the business applications use different terminology than typical network security people to define their needs. For example, a business application owner might say that their ecommerce application needs to access a credit card database. In contrast, the network security engineer needs to know IP addresses, ports and protocols so that rules can be put in place for the firewall.
"There is a gap between what the business application owners say and what the network staff think and say," Wool said. "That gap causes configuration mistakes and it slows things down."
What ends up being the case is that firewall rules are written, that are separate from the application and it's not always clear what rules belong with a given application.
The BusinessFlow technology aims to close that communication gap. Wool explained that BusinessFlow is a system that sits in between network security policy infrastructure and business applications. BusinessFlow acts as a centralized repository that gives an accurate view of application connectivity requirements.
The system doesn't actually change the Firewall and network security policies on specific devices on its own. Rather it relies on additional technology that could include AlgoSec's Fireflow Firewall policy technology to implement the changes required to enable new business applications.
From a change impact perspective, BusinessFlow can also be used as a tool to see what the impact is of a given change in hardware or software. For example, if a network security devices need to go offline, the administrator can easily identify all that applications that would be impacted.
Wool noted that most organizations already have firewalls in place with lots of policies.
"We're starting in a situation that is already messy and we have to somehow discover what is already out there, import it into our BusinessFlow system," Wool said. "We're putting a lot of emphasis into various mechanisms for application flow discovery."
The initial plan for how BusinessFlow will handle network discovery is to rely on the existing firewall rules. Wool said that AlgoSec will introduce various intelligent mechanisms that will import some of the firewall rules and then allocate them and organize them into flows for applications.
AlgoSec's technology is delivered in a variety of form factors including hardware and software based appliances that run on Linux. Wool said that getting the BusinessFlow system up and running in an existing environment will involve integration work with whatever existing system an enterprise network might have in place.