"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

---

BETTER MANAGEMENT FOR NETWORK SECURITY

Contributed by Solsoft, Inc.

Executive Summary

Today, information security is one of the highest priorities on the IT agenda. Along with firewalls and anti-virus software, sophisticated technologies are being introduced to monitor network events and inform administrators in real-time about what is going on in their network. Despite all these investments and growing awareness, the number of network security breaches continues to soar.

At Solsoft, we believe that enterprises need better management solutions allowing them to take control of their network security. They will then be able to implement preventive security and quickly respond to cyber attacks. Through a unique policy-based and multi-vendor approach, Solsoft Policy Server enables enterprises to proactively manage their security policies, while leveraging their existing network investments—and offers three essential benefits:

• Centralized response to network events and attacks.
  
  

• Consistent, end-to-end, network security.
  
  

• Lower cost of ongoing security maintenance.

This white paper explores the business and technical issues underpinning the maintenance of a global network security infrastructure, and how Solsoft’s feature-rich solutions and sound security principles offer the means to effectively and durably resolve them.

Introduction

In the last 10 years, the Internet and corporate Intranets have become established globally as the predominant network infrastructure within enterprises. Today, the IP network is used around the world as a key enabler for doing business. It provides the best infrastructure to efficiently communicate, reach customers, suppliers, and business partners. The future will be a world where more and more critical processes will depend on IP technologies with applications such as Voice Over IP, new GPRS Mobile networks in telecommunications or Application Service Providers for Customer Relationship Management. Corporations are becoming more dependent on the IP network over time and it has become the preferred way of accessing critical systems, financial circuits and intellectual assets. Thus, IP network security has become a critical concern in enterprises large and small.

In 2003, for the first time ever, security spending is expected to surpass 5% of IT budgets, and to reach almost 6% of the US Federal Government IT budget. Despite these numbers, there have been almost as many Internet security incidents in the first six months of 2003 as there were in all of 2002; (76,404 vs. 82,094 according to the CERT Coordination Center (Software Engineering Institute at Carnegie Mellon University). There are well-known reasons for this:

• New business requirements are making it more difficult to secure the enterprise’s assets. As new security devices are put in place in enterprise networks, managing them becomes harder. Industry analysts such as the Burton Group are talking about "the disappearing perimeter", leading to increasing difficulty securing the inside from the outside.

• Software packages and operating systems are becoming extremely complex and feature rich.

As security issues are addressed, they require keeping up with patches, a daunting task at large enterprises as well as for home users.

• New types of technologies such as Peer-to-Peer, Instant messaging, and Video Conferencing involve complex networking techniques that can be difficult to control.

• Finally, IT teams tend to do more with less; in the absence of adequate management tools, mundane security chores such as managing device ports may quickly be considered a low priority.

These trends will continue; more networking technology will be used by corporations and new investments will be made in areas such as Wireless, Voice over IP and IP-based business models.

In this context, only breakthrough technology can ensure network and security administrators alike will keep control of their security inside and outside the Enterprise.

Comprehensive Network Security Management is the right response

Two types of strategies concur in protecting the Enterprise IT infrastructure: application security and network security.

• Application security embeds security mechanisms in the applications that run over the network. Products such as digital identities (Digital Certificates and Tokens) as well as traditional password access are the most common types of application security. They have their own Policy Decision Point (PDP), —generally based on a directory (LDAP or other), — Single-Sign-On technology, as well as an authentication server.

• Network security leverages devices that make up the network, such as routers, switches, firewalls, and VPN devices. The network is secured by ensuring that the enterprise stays connected with the outside world, and that servers, applications, and end user resources can be reached and accessed. This is also true within the internal network where sensitive subnets such as Human Resources and Finance need to be controlled. Putting together intelligent Perimeter control from external and internal resources is paramount for three reasons:

(i) Internal attacks are 31% of attacks according to the CSI/FBI study in 2001

(ii) A number of attack techniques rely on proxying from internal resources inside the network. The goal is to connect to resources as if you where coming from the inside to gain access to more information.

(iii) If the External Perimeter security is breached, the network becomes wide open —unless multiple security zones have been defined and configured. Application security becomes the last defence and is often easy to breach.

Both application and network security are critical, the former being of little value without the latter. For example, the CSI/FBI 2001 Computer Crime and Security Survey found that the most serious financial losses occurred through theft of proprietary information (34 respondents reported a total loss of $151.2 million) and financial fraud (21 respondents reported a total loss of $93 million). These kinds of security breaches would have been impossible had a solid IP security policy been thoroughly implemented. The two strategies have to work together, such as when User authentication is used at the VPN and firewall level.

In the network itself, the challenge is to coordinate the work of many different hardware solutions. The goal is to let critical business systems perform while having a safe and efficient network. At Solsoft, we have put together a unique team of network security experts; our objective is to deliver enterprise-class software offering a comprehensive approach to network security management. Large organizations have large and complex networks. They need to constantly adapt their network security and modify device level configurations based on business requirements. They adjust their rules after auditing the network through vulnerability assessment tools and external consultant reviews. They also get security information from systems that can potentially push automated remedies to the network infrastructure, whether they are virus detection systems or SIM (Security Information Management). Our goal is to provide a management solution keeping network security under control no matter what device technologies are used. We want to help IT organizations tighten security with fast and organized responses to threats, making sure they can reduce exposure to risk.

From policy design and adjustment to response, at the center of Network Security Management

Based on proven security principles, Solsoft Policy Server is designed to reduce the time required to deploy security policies and update them after deployment, make network security more reliable, and lower the total cost required to manage multi-vendor network security. Using policy based management, it enables a collaborative approach between business entities and the I.T. organization. Built with interoperability in mind, Solsoft Policy Server can be operational in a matter of weeks and can be deployed within a production environment thanks to powerful import and migration utilities.

Features & Benefits

Solsoft Policy Server offers a breakthrough approach to network security. With the unique ability of its client, Solsoft Security Designer, to design and apply policy on a "virtual network" without constraints from device brands and capabilities, Solsoft Policy Server can generate optimal configuration for network devices and create complete and consistent network security in large and complex multi-device and multi-vendor networks. Once designed, policies are easily modified and maintained, eliminating the need to use many different error-prone tools and manual configuration to achieve Perimeter and internal security.

The main features of Solsoft Policy Server and its Solsoft Security Designer include:

• Rock-solid security principles

• Deny-all-permit-some approach
  
  

• Policy-based management

• Security enforcement

• Firewall management
  
  

• NAT support
  
  

• VPN implementation
  
  

• Strong auditing and review capabilities

• A solution to make networks operational

• Powerful collaboration
  
  

• Policy versioning
  
  

• Deployment services

• Open Network Security

• Technology Packs for all major security device vendors
  
  

• Web Service API for interoperability
  
  

• Device SDK for fast support of new security technologies
  
  

• Import and migration

This global approach has a number of key benefits:

• Security—Solsoft Policy Server’s underlying principles make security consistent from end to end, a result that cannot be achieved on large or complex networks using traditional "manual" methods. In all cases, devices will be configured appropriately according to predefined rules.

• Usability—Policies are closer to the human administrator than device configurations, and therefore easier to manipulate and implement. Business users are thus able to understand and participate in the security design.

• Scalability—Since the applied rules are the same whether you have one device or a thousand, the system ensures policy is enforced across the network without human intervention. This is true as policies become complex over time and the number of rules multiplies. The system takes clustering and network paths into account as the network supports more business systems.

• Agility and maintainability—Having a consistent view of the security policies implemented in the network can make changes and evolutions much easier, whether this is due to a business requirement or a technology evolution. Complex network changes can be done in a matter of minutes, whether one or a hundred devices need to be reconfigured.

• Auditing—The centralized repository upon which policy-based management needs to be built provides all the right information in one place from which you can audit the quality and efficiency of current, past, and future security policies across the enterprise network. 

• Lower costs—Having only one management system for all security devices brings lower costs:

• Sound security principles make the enterprise much more resistant to attacks and therefore less exposed to risk.
  
  

• Automation of most manual processes in configuration brings speed of deployment, change, and maintenance.
  
  

• Multi-vendor support provides the ability to pick the best security platform available for the price, regardless of team expertise.
  
  

• Ease of audit and reporting makes control and compliance more affordable, as all security rules are stored in a centralized repository, where they can be accessed and recalled at all times.

The basic principle underlying Solsoft's approach to network security is simple and powerful: everything that is not explicitly authorized is automatically denied. Every defined authorization is therefore a calculated risk that leaves little space to the unknown. With this sound principle, users of Solsoft solutions are protected by default against most vulnerabilities and attacks such as the recent Blaster Worm, Cisco IOS vulnerability, SQL Slammer, and other programs taking advantage of exotic ports that have no business being used in the first place.

"Denying all" by default implies defining a carefully thought-out security policy and requires centralized management—otherwise the process will be time-consuming, error-prone, and might even be counter-productive on larger networks, where the number of devices and users might make the maintenance of tight policies completely impossible. It also requires a policy-based solution that will establish a number of global rules that can be enforced and controlled proactively.

Unlike point-to-point management where security devices are configured one by one across the network to attain the right security level, policy-based management closely follows business practices and requirements by establishing rules and relations between network entities such as users or networks. For example, you can define that your foreign subsidiary connected through a VPN tunnel is only trusted to access a limited number of applications. Policies can become global rules and be propagated across devices independently of brand or function. Administrators do not need to know the specific language of each particular brand of equipment in order to set security rules according to business practices.

Coordinating device configuration makes networks more secure

Written or visual policies are closer to the human administrator than device configurations, and therefore easier to manipulate and implement; business users generally understand them and give input. It is a fairly simple policy to decide to stop all users from using Public Instant Messaging; implementing that rule can become much more complicated. In a policy-based system, this rule is readily available and the implementation is seamless — the rule being the same whether you have one device or hundreds of them from different brands. The system will ensure the rule is enforced without human intervention on each device across the network.

ENFORCING SECURITY ACROSS ALL NETWORK DEVICES

Network and security administrators know that firewalls, routers and switches aren't enough to ensure security. If improperly configured, they can leave an enterprise unknowingly vulnerable to outside attacks. To be effective, IP security policies must be carefully and comprehensively deployed on all security devices across the network. Rule creation and maintenance can be a prohibitively tedious task for administrators of large networks, especially when multiple brands of devices are involved. Over time, the number of rules (by thousands) and devices (by hundreds) becomes a burden, leaving room for human errors. Other factors such as cluster set-up and firewalls supporting Virtual systems can also render management complex.

Solving this problem requires automation and staying away from device-to-device management.

Security devices, routers and switches have their own filter programming language; when done manually, the generating process for one filter is costly and requires experts at writing device specific filtering language. Moreover, the design of filters is a tedious and error-prone process, which requires constant evaluation of rule impact and precedence. When more than a few hundred rules are in place, the risk of errors raises.

Part of Solsoft Policy Server's strength is its rule generation engine. Based upon a policy description language called Network Policy Language (NPL), it is completely independent from hardware configuration or network topology (brand of filtering device, internal topology of a domain…). The NPL is a fully documented , high-level code that summarizes in a few lines the complex security and VPN policy that has been visually defined using Solsoft’ Security Designer. 

This code is simultaneously processed by Solsoft’s compiler and transformed into optimized device-specific commands. 

EXAMPLE:

The policy of a bank describing a secured VPN between 8 branches and 1 headquarters' redundant site, including 10 firewalls in total upon which 46 protocols or services need to be configured, will result, using Solsoft Policy Server, in an NPL containing 170 global rules and 230 objects. This 170-line long NPL will in turn, translate into 7,000 lines of device-specific commands for the headquarters’ firewall alone, (amounting to a 745 Kb. configuration), and into 600 to 1,800 lines of device-specific commands for each branch office firewall. The total compilation time in Solsoft will be less than 1 minute, — regardless of the brands or types of target devices.

Solsoft Policy Server automates the generation of optimal configurations for network devices; it creates complete and consistent network security in large and complex multi-device and multi-vendor networks. Security is strengthened by:

• Visual definition and automatic filter generation—Filters are generated in the native language of the target device, based on the defined network paths. Filters are enhanced for performance; by default, they are set to support authentication and time based algorithms.

• Anti-spoofing—Accurate, error-proof anti-spoofing rules are automatically calculated for the entire network, and enforced across all devices.

• NAT, PAT and IP address sharing support—Supported NAT rules include: source address, static, pool, PAT and masquerading.

• Fail-safe path-checking—This built-in verification mechanism prevents locking security devices outside the scope of management.

• Quick and simple deployment through visual configuration of firewalls.

Because of the limited number of IP addresses available on the Internet and sometimes for added security (hiding real internal addresses), most enterprises create "internal" private addresses, which are then managed by a network security device allowing communication with the outside world. Usually, NAT rules are configured using each device's management or command line interface. This is further complicated by the need to make the rules compatible with firewall and VPN rules co-existing on the same device. Some companies even use the concept of "double natting". Once they are set, these rules have to be taken into account in all security policies.

Solsoft Policy Server resolves this complexity by allowing administrators to visually define and maintain NAT policies for all devices at once, using the same management interface as the one used for firewall and VPN policies. Users work with segmented views for NAT, VPN, or firewall policies, and can combine two or more policies in a single view. Generated NAT rules are error free and seamlessly integrated. An advanced checking mechanism ensures policies do not conflict, and that the generated configurations will exactly reflect what was visually defined.

Supported forms of NAT include: Static, Port Address Translation (PAT), Pool, Port-forwarding, Masquerading, Source NAT, and Destination NAT. Solsoft Policy Server always verifies that firewall and VPN rules are fully consistent with the defined NAT rules.

The promises of VPN technology is to leverage the Internet to create cheaper and faster access to internal networks, enabling remote workers, subsidiaries, and business partners to share systems and information, no matter what their size and location. Until now, it has been a major challenge to weave Virtual Private Networks (VPN) into a global security infrastructure and make the technology compatible with other types of security devices. By definition, these connections to corporate I.T. can become the weakest link; they need to be controlled and associated to security policies. The challenge is to configure multiple VPN tunnels from a centralized location, and achieve end-to-end security by providing simultaneous management of router, firewall, and VPN security policies from a single application. Often, full interoperability with multiple brands and types of devices is also of concern, particularly in cases when equipment vendors have already been chosen. 

VPNs come in different flavors:

• Client to gateway VPNs facilitate fast access to remote workers directly from their computers, linking them to the corporate network through broadband ADSL or Cable Modem connections. These networks require a seamless integration between application security and network security as well as support for specific features such as Dynamic IP addresses.

• Site-to-site VPNs where peer devices are configured to create a tunnel between different sites are useful in industries where locations are numerous (retail, education, banking, healthcare….). Meshed networks inter-connect all locations within the global network. These can quickly become complex to configure, as they imply defining a number of tunnels according to the rule: (NxN-1)/2. For example, a fully meshed Virtual Private Network between 20 locations will require 190 tunnels. Sometimes, in partially meshed networks, only a few locations are linked to each other, or some connections are only used as backups; in all cases, configuration is complex and time-consuming.

Management cost is often a roadblock to deployment. Solsoft is the first to provide a vendor neutral policy management solution for both VPNs and firewalls, solving complex management, interoperability, and deployment issues. This is a significant breakthrough in the way to configure, manage, and deploy IPSec VPNs and ensure interoperability between different brands of VPN devices. It slashes costs by eliminating the most manual chores related to the configuration process.

Solsoft Policy Server VPN features include:

• Visual definition of IPSec VPN tunnels—Despite the complexity of IPsec parameters often making set-up difficult, our interface proposes simple "selectable" tunnel types allowing for simple drag and drop VPNs, including meshed configurations.

• Automatic configuration of site-to-site IPSec VPNs in heterogeneous environments — By automating the generation of pre-shared keys and pre-configured VPN tunnel definitions, Solsoft Policy Server eliminates the need to view complex IPSec parameters, unless necessary.

• Automatic generation of ACLs and NAT rules for site-to-site VPNs—The integrated approach to security allows for mixing and matching of ACL, NAT, and VPN rules, resulting in a combined network-wide security policy. 

• Automatic management of pre-shared keys—Pre-shared keys can be automatically regenerated on an as-needed basis, reducing risks of compromising the keys. 

• PKI ready VPN—Simple support of PKI infrastructure when provisioning new devices.

• Interoperability—Solsoft supports multi-vendor, multi-brand devices, and can therefore deploy tunnels within heterogeneous networks.

• Automatic provisioning and deployment—Once VPNs are defined and designed, Solsoft Policy Server automatically calculates and uploads the generated rules to the VPN appliances, thus eliminating error-prone, manual tasks.

As long as your network runs, and no breach is found, you might wonder why you need auditing. Unless you have a specific reporting tool, putting together a network policy audit is a lengthy and difficult process. It requires time from Network engineers and consultants going through pages of complex ACLs. But suddenly, new worms and viruses are announced; a security patch must be pushed to your infrastructure, your IDS solution is raising alerts, and you realize that your network is not as secure as you thought. You are in dire need of information. What exact flows get to a subnet? Is HTTP allowed to this server? Can H323 (NetMeeting) flow between your subsidiaries? These questions are hard to answer when networks are heterogeneous or complex — and yet, they require an immediate answer when the network is under attack.

Using Solsoft Policy Server, your have total control: all security rules are enforced from the same server, whose repository contains all the information needed to get fast answers. Solsoft’s unique technology can instantaneously generate comprehensive policy audit reports on any given network object (be it an IP address, a device, a server or whole networks) or policy flow. Reports can be established for any version of a given policy, past, current, or under deployment. The audit consists of a comprehensive gathering of all the policies described for the particular object. 

Network constraints, such as NAT and path restriction configuration, are automatically taken into account. Administrators get a detailed report and know exactly what is allowed in the policy for the object throughout the entire network. This feature also gives immediate troubleshooting hints when something goes wrong, and helps verify and discover potential vulnerabilities. You can find out in minutes whether fast action is needed, and instantly correct and update your policies using Solsoft Security Designer; thus, you will never be taken by surprise and forced, under fire, to make large impact decisions that may have disruptive consequences, such as patching all servers in a hurry.

Introducing Team Work in Network Security

Implementing security policies across the enterprise requires extensive collaboration between business and networks experts and their security analyst counterparts. Solsoft Policy Server is designed to store an unlimited number of policies and user profiles, and allows multiple groups of users to work together on policy design, maintenance and deployment. Combining network policy versioning and visual management of NAT, VPN and firewall rules, the patented Solsoft Security Designer is at the center of collaboration.

It greatly improves and simplifies work processes for the staff in charge of network security in large enterprises and managed service providers.

Collaboration features allow for granularity and flexibility in the definition and distribution of roles. They consist of the following:

• Scalable user management—Enables an unlimited number of users, or groups of users in different locations, to collaboratively define, deploy, and maintain common firewall, NAT, and VPN policies.

• Very granular profiles—Beyond the simple "read-only" and "write-only", available roles include "consult," "define," "audit," "compile," "upload," "implement", or any combination of menu commands. Combinations of roles are infinite and provide great flexibility. 

• Role-based administration—Allows granular distribution of roles and responsibilities among different users and groups of users.

POLICY VERSIONING

No matter how simple or complex the security policy, it is necessary for the operation teams to organize a process around its evolution in time. A version is operational and maintained; the next one is being prepared, enhancing current business processes. Solsoft Policy Server keeps track of all policy changes and allows administrators to store as many alternative policies as they wish, using a powerful versioning technique. Not only can you keep track of all history, but you can also define and manage future polices.

Different pre-defined security policies (based on threat levels or other factors) can be prepared for various company services such as database, email or other types of critical business flows susceptible to attack. This can help prepare pre-emptive responses and make them deployable in seconds, making sure the company network can be kept running no matter what the next worm or virus might be. It is also possible to prepare for critical systems confinement into safe network perimeters at certain times.

Users and managers alike can track the deployment status of any given policy at any time, and find out who has done changes historically, making it possible to control progress. It is also possible to implement security workflow, by combining role-based administration and versioning features. For instance, specific tasks such as uploading or designing can be assigned exclusively to certain team members.

Once policies have been designed, the next step involves modifying network configurations. The task can become complex whenever the rule set is large and the size of the network increases. In what order should I update my devices? What happens if they are unreachable at upload time?

Should I upload NAT, VPN or ACL rules as a priority on the different devices? Will the new security policy be completely safe and operational?

Solsoft Policy Server eases the pain of Network and Security administrators by automating the most repetitive deployment tasks. In cases where the policy modification is small, individual PEP selection is possible, or modified PEP only. In all cases, the Solsoft Policy Server rollback feature makes it possible, after deployment, to retract the "new" policy and revert to a previous, "safe" configuration.

Configuration uploads can be monitored in real-time, and the server verifies upload parameter consistency. When needed, a Policy Learning Mode can be enabled to help validate policies and tune them before deployment.

Optimized distribution mechanisms exist to ensure policies are pushed in the right order, and keep the necessary flows open between the server and its administered devices. Multiple upload methods — and multiple types of encrypted communications—are available depending on device type. Secure upload is then guaranteed when needed, but a quick upload can also be done through lighter means. In large networks, automated methods exist to facilitate certain functions such as new pre-shared key distributions.

Open Network Security Management

Designing and maintaining efficient network security across the enterprise requires the use of many different tools. For managing devices or information security applications such as antivirus, vulnerability assessment, intrusion detection, or event correlation engines, most teams rely on a mix of techniques to keep tight security on the corporate network. The Solsoft solution is unique in providing an open architecture that can fit into any I.T. department operations center, be it in the network and/or security side. It also allows for easy support of new devices and technologies as the need arises.

Solsoft Product Feature evolution and support for multiple technologies

Established companies in the security space—such as Cisco, Check Point, NetScreen, and Nortel Networks — have built comprehensive router, firewall and VPN device product lines that have tremendous reach today, and secure more than 50% of corporate and government networks.

Solsoft has always spent resources to keep up with support of these devices, and we intend to continue doing so as we increase our market share in the management space.

We currently support the following lines of products out-of-the-box: 

• Cisco security and VPN product lines, including all IOS based technology, PIX and VPN3000 product lines. Newly developed technologies such as FWSM and VPNSM are also supported.

• NetScreen firewall and VPN appliances with ScreenOS • Check Point FireWall-1 NG and 4.x generations

• Nortel Networks Contivity VPN appliances 

• Symantec Enterprise Firewall devices (formerly Axent Raptor Firewall)

• Linux based firewalls, including: NetFilter, IP Filter, and IP Chains

Firewall and VPN technology evolves at a rapid pace, ASIC based hardware, VPN-SSL, and multifunction devices are changing the market. Taking advantage of these technologies can be challenging, as training costs and interoperability with current equipment is always an issue.

Solsoft Policy Server provides its users with a seamless migration path; our Technology Packs, which already support most major security equipment, are complemented with a Device SDK. If a new technology needs to be supported, it can be integrated within the product in a matter of weeks.

The Solsoft Device SDK is the technology used internally to integrate new technologies. It consists of include files, documentation, sample source code and toolkit, and developer support.

Product training and certification is also part of the package when proposed to Security device vendors to achieve fast interoperability with the Solsoft suite.

Large enterprises require strong process capabilities and multiple solutions to secure their network infrastructure. Gathering business requirements, billing for services, monitoring the network, logging and correlating events, assessing vulnerabilities, installing security patches, all these tasks require teams of people who collaborate and systems that interoperate. Three major types of requirements are identified in this area:

• Feeding information about firewall configuration, established policies, and policy evolution in a standardized format (XML file or Log). This will help systems such as Vulnerability Assessment, Event Correlation and Patch Management quickly figure out the real state of security, and set priorities in recognizing and potentially fixing security holes.

• Allowing other management systems to operate granular changes to security policies and make configuration checks to the network.

• Enhancing the network security management process. Network security management needs to be seamlessly integrated within the enterprise’s workflow, allowing business and technical decision-makers to collaborate on policies.

The requirements are addressed in Solsoft Policy Server with a unique API allowing for information exchange and configuration capabilities from within remote applications. This standard interface is based on Web Services technology, it provides programmatic access to Policy changes, and a number of associated features such as:

• Policy version management, configuration generation, and deployment. For example, you can immediately deploy Green, Orange or Red security levels if you have designed them beforehand.

• Policy query and configuration checking. Policy and project browsing can provide a choice of projects, versions, and properties. Within a policy, you can then query object definitions and permission flows.

• Making individual policy changes to existing projects without altering the whole policy.

Product lines get discontinued, budgets shrink or grow, mergers and acquisitions occur…. In all these cases, enterprises are confronted with operational challenges, which will oblige them to import rules in order to add, change, and migrate security devices in the network infrastructure.

The Solsoft solution is designed from the ground up to implement these changes in a short timeframe, regardless of the environment or whether the changes involve new or used equipment. Solsoft Policy Server gives the ability to import firewall configurations from various vendors, allowing administrators to start deploying a policy-based management system or take into account new network partitions with improved control. Objects, IP addresses and security rules are quickly imported into the Solsoft repository, reducing the time needed to manually define all of the security rules and associated objects.

Once the import is completed, and all device rules are migrated to a policy level, administrators can migrate from one brand of device to another by simply changing the properties of the firewall object in Solsoft Security Designer. The configuration is automatically converted into the specific language of the target device.

Summary

The key challenges in network security management are the breadth of the problem, its underlying complex technology, and the difficulty of putting together sound processes to resolve it. Solsoft Policy Server is the industry's leading solution for multi-vendor policy-based security management. It is the first management solution to support NAT, VPN and firewalls in the same package with enough feature depth to allow short implementation timeframes and flexibility to respond to your process needs.

Using Solsoft Policy Server, your can improve your security without changing your current technology choices, with minimal migration effort. The return on investment is significant, both in terms of network and security operation resources, and infrastructure cost savings. In short, a powerful and sophisticated security policy management solution like Solsoft Policy Server is a strong asset in giving you the upper hand in securing your business.