Firewall Policy Automation to Keep Moving Faster
Using automation to get where we want to go as quickly and safely as possible
To support today’s ever evolving world of technology, a network needs to be ubiquitous, responsive and adaptive to ensure it is future ready. New developments in information technology are radically transforming process automation. Firewalls are important elements of enterprise network security. Put simply, firewall policies allow devices to securely send traffic to, or receive traffic from, computers, internet, apps or users. Security policy-based management has evolved from the first security models dating back to the late 1960’s until today’s more elaborate frameworks, languages and tools.
As one of the world’s largest toll-road operators, Transurban operates 18 roads in Australia and North America with several major projects scheduled to be completed over the next 5 years. Across our road networks in Sydney, Melbourne and Brisbane, there is over 700 kilometers of optical fiber which connects more than 100,000 pieces of technology and underpins 18 safety systems. Our operations are always on — controlled 24 hours day, 7 days a week, 365 days a year. This requires a network that can reliably meet evolving requirements consistently while adapting to new technologies such as IOT (Internet of Things) and CAVs (Connected Automated Vehicles). To operate complex and changing networks, Transurban’s Network Services team implemented automation that not only delivers faster responses but also provides consistent outcomes.
The Challenge: Firewall automation in a complex highly available environment
To ensure that the speed of network operations meets the needs of business innovation, the team implemented firewall policy automation to accelerate network changes and increase accuracy and effectiveness focusing on:
- Effort: Given the large network of multi-vendor switches, routers and firewalls across IT (Information Technologies) and OT (Operational Technologies), manually processing firewall policies was not a viable option to meet our growing business needs.
- Duration: Each firewall policy change took between 5 to 7 days to implement. Analysing the risk of each request took time and impacted the project schedules.
- Quality: The other bottleneck in processing changes was manually identifying the target firewalls that blocked connectivity and then designing a change that would open the requested access.
We needed to increase operational efficiency and accuracy in an automated fashion to decrease the cycle time of implementing changes
Accurate network topology is essential for trusted automation
Transurban partnered with Tufin and selected the Tufin Orchestration Suite™ to automate the network change process from submission to implementation. We commenced by deploying a base policy that represents what can talk to what and who can talk to whom across different networks.
Our next step was pulling routing information into Tufin and visualising an accurate topology map of the network. The topology map allows a quick and easy analysis of network traffic prior to a change being implemented along with identifying firewalls that need to be re-configured. We were able to automate this step, saving even more time for the teams by not just finding the right firewalls, but by closing access requests which were already implemented and did not require any further processing.
Automating the heavy lifting: Design, Implementation and Verification
The next steps involved designing and implementing the change across the different firewalls. Tufin SecureChange provided automated design and provisioning for Palo Alto Networks and Check Point firewalls from a central console, with consistent and comprehensive documentation of who made the changes, when and why (justification). Automated verification was implemented in order to ensure that the change implemented matches the initial access request. Verification helped eliminate errors and misconfiguration and increased customer satisfaction.
Final step: Self service
At this point, we decided to also automate the submission of change requests from ServiceNow, our in-house employee self-service.
- Effort & Duration: Since we integrated with ServiceNow, we have experienced ongoing duration and effort reductions of typical change requests. Network changes are now routed to SecureChange for processing with notification back to ServiceNow and the submitter.
- Quality: Automated verification uplifted the capability to detect errors and misconfiguration.
We achieved an automated process for implementing firewall changes end-to-end: from submission to implementation and verification.
With the cycle time for a typical change request reduced to a few hours, Transurban was able to improve network visibility, agility and efficiency, but also maintain control and security. Not only does Transurban benefit from faster and more agile change processes, but it has reduced the mundane and potentially error prone processes which enables our talent to focus on more strategic and valuable operations output.
Just like our toll roads, automation has enabled us to get where we want to go as quickly and safely as possible.
