Enterprises use firewalls extensively to protect their networks from malicious attacks. Firewalls have become a ubiquitous component across different network segments to fend off both insider and outsider threats as well as to enforce secure network access policy. For example, in a typical enterprise environment, there can be multiple virtual local area networks (VLANs) providing network segregation with defined access levels within these segments, as well as remote access over the public Internet for virtual private network (VPN) and mobile users. Thus, security administrators need to configure numerous firewall rules to satisfy various security policy requirement.
Firewall rule management becomes even more challenging as computers and even networks of enterprise networks become virtualized. With such virtualizations, changes to the enterprise networks usually occur more frequently due to, for example, migration of virtual machines (VMs) and ease of network reconfiguration. Thus, in these enterprise networks, security administrators must frequently map the higher-level network security policies to low-level firewall rules. This is a time-consuming error-prone manual process in which addition/updating of the rules is periodically needed to provide secure access to network resources. Policy enforcement is a continuous process that requires refining rules to meet changing network configurations without breaking existing policies. To ease this configuration complexity, newer policy systems have evolved that replace existing network topology (IP address) based firewall rules with entity (e.g., users, groups and virtual machines (VMs)) based firewall rules. However, even with these advances, there is still a need to further improve firewall rule management.