It’s often said that “complexity is the enemy of security.” It’s true, in so many ways. If a security product is too complex to manage, it will slow down your investigations which slows down your ability to detect and stop threats. Naturally, you’ll gravitate to an easier-to-use product. If your security policies are too complex or convoluted, it can open up avenues of attack (expose weak spots) for cybercriminals to exploit.
As a network administrator, managing your security policies is not fun. It’s complex and time-consuming, especially when your network has multiple firewalls deployed across many locations. Identifying your duplicate, inconsistent, or shadow policies is difficult. Your rulesets have become massive and unruly. You have policies stacked on policies because you (and your predecessors) didn’t want to disturb the status quo, fearing that any change could inadvertently weaken your defenses. Want to migrate policies to newly deployed firewalls? Grab the aspirin and cancel your weekend plans – this tedious process will take a while.
The IT team at Los Rios Community College District faced similar challenges. With 17 firewalls deployed across 4 colleges and 6 outreach centers spanning a 2400 square mile service area, security policy management was no walk in the park. “It was a full-time job managing all of our firewalls,” says Mike Muzinich, Senior IT Network Administrator for Los Rios Community College District. “We had a lot of groups shared among our firewalls, so if we wanted to stand up a new admin network, that means we’d have to drop in about 4 or 5 groups into each firewall individually. That takes a lot of time. Even straightforward tasks like making changes to access policies was not easy.”
“Things that take 10 minutes in CDO take a day or more without it.”
-Mike Muzinich, Senior IT Network Administrator
for Los Rios Community College District
But with Cisco Defense Orchestrator (CDO), a new centralized management tool to manage Cisco firewalls, Los Rios changed the game:
- Building firewalls became easier. “The time it took to build firewalls was dramatically reduced. With CDO, I can build a firewall from scratch in 4 hours. Without CDO, it takes 2 – 3 days per firewall,” says Mike.
- Management became easier. “Things that take 10 minutes in CDO take a day or more without it,” says Mike.
- Policy auditing became easier. “CDO is the only tool I know of that can audit objects across firewalls,” says Mike. “You can see the duplicate entries in CDO, then resolve them… Without CDO, we don’t have that visibility.
- Money was saved. “In terms of cost savings, I estimate the personnel costs of managing the firewalls without CDO would be at least 4 times the cost of using CDO,” says Mike.
Like what you see? Try our free 30-day trial of Cisco Defense Orchestrator to simplify security policy management across your Cisco ASA platforms.