Over 2000 data center firewall rules deployed with no downtime

Firewalls are notorious for having a suboptimal policy configuration – from stale, years old rules that are no longer needed, to rules that allow wide access and represent a critical threat to the business. OCP Group wanted to eliminate these risks and asked NIL to help them improve the network access security of their data center.

The OCP Group was established in 1920 in Morocco and is currently one of the leading exporters of phosphate rock, phosphoric acid, and phosphate fertilizers in the world. The Group has subsidiaries and sites across countries in Africa, the Americas, Europe, and Asia, and generates a yearly revenue of over €4 billion.

A large corporation like OCP Group relies heavily on information technology. Over the years, this resulted in a large and complex IT environment with numerous applications, services, and user groups in place. To prevent their business from cyber threats, OCP Group has advanced cybersecurity technologies and mechanisms in place across all of their data centers and services, including network access control.  

However, as their business evolved and new applications were deployed, this inevitably resulted in the introduction of additional network security controls and policies in their data centers; often after the applications already went into production.

Data center firewall policy optimization on a live network

These developments made it very difficult and costly for OCP to efficiently manage the firewall ruleset based on inputs from administrators and end-users. They had multiple sets of new firewalls separating users from data center workloads, but what they wanted is a simple policy creation for limiting communications only to supported applications. As this was not possible in the existing setup, they decided to update the data center firewall configurations. After assessing their existing environment, they defined the following goals and expectations of the update:

  • The ruleset has to only allow officially supported enterprise application sessions from network users to data center workloads
  • The ruleset has to be implemented on the existing firewall technology
  • The ruleset has to be designed for and deployed on multiple firewall tiers

OCP Group approached NIL to assist them with the solution design and implementation. NIL developed a customized analysis system for receiving network metadata and automated firewall rule-base generation. To further optimize the policy rule-base, we upgraded the analysis system with heuristic rules that allowed a sizeable reduction of the policy size. To ensure optimal performance, NIL’s security consultants also verified the final policy.

We have completely redefined the firewall policies and eventually deployed over 2,000 new rules – all in production, in a live environment. We intensively tested the configurations prior to deployment, so the implementation went through without any interruptions in our work process. We are very satisfied with this approach as well as with the overall outcome of the solution. The firewall management is now significantly simplified, and the access rules are clearly defined, which eventually means better security.
Abdeslam El Gonnouni, Networks and Telecommunications Manager, OCP Group

Overall, on the way to the final solution, NIL carried out the following services:

  • Environment analysis and kick-off workshops leading to an understanding of the technical context, business requirements, and risk appetite.
  • Traffic analysis and policy generation system development.
  • Preparation of blueprints for the policy generation system and its verification
  • Risk assessment services for optimizing the firewall policy.
  • Deployment and monitoring of firewall policy on production firewalls.

The main benefit of the solution for OCP Group is significantly stronger resistance against attacks on data center network. In addition, any further update of the firewall rule-based is also faster and more error-resistant due to simplified management.

Technology Scope

This consulting engagement covered the following network security technology aspects:

  • Security monitoring and analysis technology (SIEM).
  • Custom parsing and analysis tools for firewall ruleset generation.
  • Firewalls of multiple vendors.